TAMConfig

Use the Jython or Jacl scripting languages to configure embedded IBM Security Access Manager with the wsadmin tool. The commands in the TAMConfig group can be used to configure or unconfigure ISAM.

1. configureTAM
2. listTAMSettings
3. modifyTAM
4. reconfigureTAM
5. unconfigureTAM
6. configureTAMTAI
7. unconfigureTAMTAI
8. configureTAMTAIProperties
9. unconfigureTAMTAIProperties
10. configureTAMTAIPdjrte
11. unconfigureTAMTAIPdjrte

configureTAM

Manually configure the ISAM.

Target object: None.

Required parameters None.

Optional parameters None.

Interactive mode example usage:

• Use Jacl:
  $AdminTask configureTAM {-interactive}

• Use Jython:
  AdminTask.configureTAM('-interactive')

listTAMSettings

Display the current embedded ISAM configuration settings.

Target object: None.

Required parameters None.

Optional parameters None.

Interactive mode example usage:

• Use Jacl:
  $AdminTask listTAMSettings {-interactive}

• Use Jython:
  print AdminTask.listTAMSettings('-interactive')

modifyTAM

Modify embedded ISAM configuration settings.

Target object: None.

Required parameters:

-adminPasswd

The ISAM administrator password. (String, required)

Optional parameters:

-adminUid

The ISAM user name. (String, optional)

-nodeName

Target node or nodes. Set the value as the * asterisk character to specify all nodes. (String, optional)

Interactive mode example usage:

• Use Jacl:
  $AdminTask modifyTAM {-adminPasswd my11password}

• Use Jython:
  AdminTask.modifyTAM('-adminPasswd my11password')

• Use Jython list:
  AdminTask.modifyTAM(['-adminPasswd', 'my11password'])

Interactive mode example usage:

• Use Jacl:
  $AdminTask modifyTAM {-interactive}

• Use Jython:
  AdminTask.modifyTAM('-interactive')

reconfigureTAM

Reconfigure the Java Authorization Contract for Containers (JACC) ISAM settings.

Target object: None.

Required parameters None.

Optional parameters None.

Interactive mode example usage:

• Use Jacl:
  $AdminTask reconfigureTAM {-interactive}

• Use Jython:
  AdminTask.reconfigureTAM('-interactive')

unconfigureTAM

Remove configuration data for the Java Authorization Contract for Containers (JACC) ISAM.

Required parameters None.

Optional parameters None.

Interactive mode example usage:

• Use Jacl:
  $AdminTask unconfigureTAM {-interactive}

• Use Jython:
  AdminTask.unconfigureTAM('-interactive')

configureTAMTAI

Configure the embedded ISAM trust association interceptor (TAI) with classname TAMTrustAsociationInterceptorPlus.

Target object: None.

Required parameters:

-policySvr

Name of the ISAM policy server with which the application server communicates. The server is specified by a fully-qualified host name, the SSL port number, and the rank. The default SSL port number is 7135. For example: myauth.mycompany.com:7135:1.

-authSvrs

Name of the ISAM authorization server with which the application server communicates. The server is specified by a fully-qualified host name, the SSL port number, and the rank. The default SSL port number is 7136. For example: myauth.mycompany.com:7136:1. We can specify multiple servers if the entries are separated by a comma (,).

-adminPasswd

This property specifies the password of the ISAM administrator user associated with the -adminUid parameter. The password restrictions depend upon the password policy for our ISAM configuration.

-loginId

The WebSEAL trusted user as created in "Creating a trusted user account in ISAM". See the Configuring single sign-on using trust association interceptor ++ article for more information. The format of the username is the short name representation.

Optional parameters:

-adminUid

This property specifies the ISAM administrator name. If not specified, sec_master is the default. A valid administrative ID is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. We cannot use a space in the administrative ID.

For example, for U.S. English, the valid characters are the letters a-Z, the numbers 0-9, a period (.), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the administrative ID, if there are limits, are imposed by the underlying registry.

-secDomain

This property specifies the ISAM domain name to which the administrator is authenticated. This domain must exist and an administrator ID and password must be valid for this domain. The application server is specified in this domain. If the application server is not specified, the default value is Default. The local domain value is retrieved from the configuration file.

A valid domain name is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. We cannot use a space in the domain name.

For example, for U.S. English, the valid characters for domain names are the letters a-Z, the numbers 0-9, a period ( . ), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the domain name, if there are limits, are imposed by the underlying registry.

-checkViaHeader

We can configure TAI so that the via header can be ignored when validating trust for a request. Set to false if none of the hosts in the via header need to be trusted. When set to false, we do not need to set the trusted host names and host ports properties. The only mandatory property to check when the via header is false is com.ibm.websphere.security.webseal.loginId. The default value of the check via header property is false. When using ISAM plug-in for web servers, set this property to false.

The via header is part of the standard HTTP header that records the server names that the request passed through.

-id

This property specifies a comma-separated list of headers that exists in the request. If all of the configured headers do not exist in the request, trust cannot be established. The default value for the ID property is iv-creds. Any other values set in WebSphere Application Server are added to the list along with iv-creds, separated by commas.

-hostnames

Do not set this property if we are using the ISAM plug-in for web servers. This property specifies the host names (case-sensitive) that are both trusted and expected in the request header. Requests arriving from unlisted hosts might not be trusted. If the checkViaHeader property is not set, or is set to false, then the trusted host names property has no influence. If the checkViaHeader property is set to true, and the trusted host names property is not set, the TAI initialization fails.

-ports

Do not set this property if we are using the ISAM plug-in for web servers. This property is a comma-separated list of trusted host ports. Requests that arrive from unlisted ports might not be trusted. If the checkViaHeader property is not set, or is set to false, then this property has no influence. If the checkViaHeader property is set to true, and the trusted host ports property is not set in WAS, the TAI initialization fails.

-viaDepth

This property indicates a positive integer that specifies the number of source hosts in the via header to check for trust. By default, every host in the via header is checked, and if any host is not trusted, trust cannot be established. The viaDepth property is used when only some of the hosts in the via header have to be trusted. The setting indicates the number of hosts, starting from the right end in the header, required to be trusted.

For example, consider the following header:

If in via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001If the viaDepth property is not set, is set to 2 or is set to 0, and a request with the previous via header is received then both webseal1:7002 and webseal2:7001 need to be trusted. The following configuration then applies:

com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2

If in com.ibm.websphere.security.webseal.ports = 7002,7001If the viaDepth property is set to 1, and the previous request is received, then only the last host in the via header needs to be trusted. The following configuration then applies:

com.ibm.websphere.security.webseal.hostnames = webseal2 com.ibm.websphere.security.webseal.ports = 7001

The viaDepth property is set to 0 by default, which means that all of the hosts in the via header are checked for trust.

-ssoPwdExpiry

After trust is established for a request, the single sign-on user password is cached, eliminating the need to have the TAI re-authenticate the single sign-on user with ISAM for every request. We can modify the cache timeout period by setting the single sign-on password expiry property to the required time in seconds. If the password expiry property is set to 0, the cached password never expires. The default value for the password expiry property is 600.

-ignoreProxy

This property can be used to tell the TAI to ignore proxies as trusted hosts. If true the comments field of the hosts entry in the via header is checked to determine if a host is a proxy. Remember that not all proxies insert comments in the via header indicating that they are proxies. The default value of the ignoreProxy property is false. If the checkViaHeader property is set to false, then the ignoreProxy property has no influence in establishing trust.

-configURL

For the TAI to establish trust for a request, it requires that the SvrSslCfg task be run for the Java Virtual Machine on the Application Server and result in the creation of a properties file. If this properties file is not at the default URL, which is file://java.home/PdPerm.properties, the correct URL of the properties file must be set in the configuration URL property. If this property is not set, and the SvrSslCfg-generated properties file is not in the default location, the TAI initialization fails. The default value for the config URL property is file://${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties.

-defer

This property indicates whether the ISAM configuration portion of this task should be run immediately or deferred until the startup of the WAS. The default is no.

The TAI properties are updated immediately regardless of this setting.

Interactive mode example usage:

• Use Jacl:
  $AdminTask configureTAMTAI {-interactive}

• Use Jython:
  AdminTask.configureTAMTAI('-interactive')

unconfigureTAMTAI

Unconfigure the embedded ISAM Trust Association Interceptor with classname TAMTrustAsociationInterceptorPlus. This task does not include removing any custom properties from the security configuration.

Target object: None.

Required parameters:

-adminPasswd

Password of the ISAM administrator user associated with the -adminUid parameter. The password restrictions depend upon the password policy for our ISAM configuration.

Optional parameters:

-adminUid

The ISAM administrator name. If not specified, sec_master is the default. A valid administrative ID is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. We cannot use a space in the administrative ID.

For example, for U.S. English the valid characters are the letters a-Z, the numbers 0-9, a period (.), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the administrative ID, if there are limits, are imposed by the underlying registry.

-force

Indicates whether or not this task should stop when an error is encountered. The default is no.

-defer

Indicates whether this task should be run immediately or deferred until the startup of the WAS. The default is no.

Interactive mode example usage:

• Use Jacl:
  $AdminTask unconfigureTAMTAI {-interactive}

• Use Jython:
  AdminTask.unconfigureTAMTAI('-interactive')

configureTAMTAIProperties

Add the custom properties to the security configuration for the embedded ISAM Trust Association Interceptor with classname TAMTrustAsociationInterceptorPlus.

Target object: None.

Required parameters:

-loginId

The WebSEAL trusted user is created as discussed in "Creating a trusted user account in ISAM". See the Configuring single sign-on using trust association interceptor ++ article for more information. The format of the username is the short name representation.

Optional parameters:

-checkViaHeader

We can configure TAI so that the via header can be ignored when validating trust for a request. Set to false if none of the hosts in the via header need to be trusted. When set to false we do not need to set the trusted host names and host ports properties. The only mandatory property to check when via header is false is com.ibm.websphere.security.webseal.loginId. The default value of the check via header property is false. When using ISAM plug-in for web servers, set this property to false.

The via header is part of the standard HTTP header that records the server names that the request passed through.

-id

This property indicates a comma-separated list of headers that exists in the request. If all of the configured headers do not exist in the request, trust cannot be established. The default value for the ID property is iv-creds. Any other values set in WAS are added to the list along with iv-creds, separated by commas.

-hostnames

Do not set this property if using ISAM plug-in for web servers. The property specifies the host names (case-sensitive) that are both trusted and expected in the request header. Requests arriving from unlisted hosts might not be trusted. If the checkViaHeader property is not set, or is set to false, then the trusted host names property has no influence. If the checkViaHeader property is set to true, and the trusted host names property is not set, the TAI initialization fails.

-ports

Do not set this property if we are using the ISAM plug-in for web servers. This property is a comma-separated list of trusted host ports. Requests that arrive from unlisted ports might not be trusted. If the checkViaHeader property is not set, or is set to false, then this property has no influence. If the checkViaHeader property is set to true, and the trusted host ports property is not set in WAS, the TAI initialization fails.

-viaDepth

This property indicates a positive integer that specifies the number of source hosts in the via header to check for trust. By default, every host in the via header is checked, and if any host is not trusted, trust cannot be established. The viaDepth property is used only when some of the hosts in the via header have to be trusted. The setting indicates the number of hosts required to be trusted.

As an example, consider the following header:

If in via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001If the viaDepth property is not set, is set to 2 or is set to 0, and a request with the previous via header is received then both webseal1:7002 and webseal2:7001 need to be trusted. The following configuration then applies:

com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2

If in com.ibm.websphere.security.webseal.ports = 7002,7001If the viaDepth property is set to 1, and the previous request is received, then only the last host in the via header needs to be trusted. The following configuration then applies:

com.ibm.websphere.security.webseal.hostnames = webseal2 com.ibm.websphere.security.webseal.ports = 7001

The viaDepth property is set to 0 by default, which means that all of the hosts in the via header are checked for trust.

-ssoPwdExpiry

This property can be used to tell the TAI to ignore proxies as trusted hosts. If true, the comments field of the hosts entry in the via header is checked to determine if a host is a proxy. Remember that not all proxies insert comments in the via header indicating that they are proxies. The default value of the ignoreProxy property is false. If the checkViaHeader property is set to false, then the ignoreProxy property has no influence in establishing trust.

-viaDepth

This property indicates a positive integer that specifies the number of source hosts in the via header to check for trust. By default, every host in the via header is checked, and if any host is not trusted, trust cannot be established. The viaDepth property is used only when some of the hosts in the via header have to be trusted. The setting indicates the number of hosts required to be trusted.

-ssoPwdExpiry

After trust is established for a request, the single sign-on user password is cached, eliminating the need to have the TAI re-authenticate the single sign-on user with ISAM for every request. We can modify the cache timeout period by setting the single sign-on password expiry property to the required time in seconds. If the password expiry property is set to 0, the cached password never expires. The default value for the password expiry property is 600.

-ignoreProxy

This property can be used to tell the TAI to ignore proxies as trusted hosts. If true, the comments field of the hosts entry in the via header is checked to determine if a host is a proxy. Remember that not all proxies insert comments in the via header indicating that they are proxies. The default value of the ignoreProxy property is false. If the checkViaHeader property is set to false, then the ignoreProxy property has no influence in establishing trust.

-configURL

For the TAI to establish trust for a request, it requires that the SvrSslCfg task be run for the Java Virtual Machine on the Application Server and result in the creation of a properties file. If this properties file is not at the default URL, which is file://java.home/PdPerm.properties, the correct URL of the properties file must be set in the configuration URL property. If this property is not set, and the SvrSslCfg-generated properties file is not in the default location, the TAI initialization fails. The default value for the config URL property is file://${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties.

Interactive mode example usage:

• Use Jacl:
  $AdminTask configureTAMTAIProperties {-interactive}

• Use Jython:
  AdminTask.configureTAMTAIProperties('-interactive')

unconfigureTAMTAIProperties

Remove the custom properties from the security configuration for the embedded ISAM Trust Association Interceptor with classname TAMTrustAsociationInterceptorPlus.

Target object: None.

Required parameters None.

Optional parameters None.

Interactive mode example usage:

• Use Jacl:
  $AdminTask unconfigureTAMTAIProperties {-interactive}

• Use Jython:
  AdminTask.unconfigureTAMTAIProperties('-interactive')

configureTAMTAIPdjrte

Fully configure the ISAM Runtime for Java. The specific tasks run are PDJrteCfg and SvrSslCfg.

Target object: None.

Required parameters:

-policySvr

Name of the ISAM policy server with which the application server communicates. The server is specified by fully qualified host name, the SSL port number, and the rank. The default SSL port number is 7135. For example: myauth.mycompany.com:7135:1.

-authSvrs

Name of the ISAM authorization server with which the application server communicates. The server is specified by fully-qualified host name, the SSL port number, and the rank. The default SSL port number is 7136. For example: myauth.mycompany.com:7136:1. We can specify multiple servers if the entries are separated by a comma (,).

-adminPasswd

This property specifies the password of the ISAM administrator user associated with the -adminUid parameter. The password restrictions depend upon the password policy for our ISAM configuration.

Optional parameters:

-adminUid

This property specifies the ISAM administrator name. If not specified, sec_master is the default. A valid administrative ID is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. We cannot use a space in the administrative ID.

For example, for U.S. English. the valid characters are the letters a-Z, the numbers 0-9, a period (.), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the administrative ID, if there are limits, are imposed by the underlying registry.

-secDomain

This property specifies the ISAM domain name to which the administrator is authenticated. This domain must exist and an administrator ID and password must be valid for this domain. The application server is specified in this domain.

If not specified, the default value is Default. The local domain value is retrieved from the configuration file.

A valid domain name is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. We cannot use a space in the domain name.

For example, for U.S. English, the valid characters for domain names are the letters a-Z, the numbers 0-9, a period ( . ), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the domain name, if there are limits, are imposed by the underlying registry.

-defer

This property indicates whether this task should be run immediately or deferred until the startup of the WAS. The default is no.

Interactive mode example usage:

• Use Jacl:
  $AdminTask configureTAMTAIPdjrte {-interactive}

• Use Jython:
  AdminTask.configureTAMTAIPdjrte('-interactive')

unconfigureTAMTAIPdjrte

Unconfigure the ISAM Runtime for Java. The specific tasks run are PDJrteCfg and SvrSslCfg.

Target object: None.

Required parameters:

-adminPasswd

This property specifies the password of the ISAM administrator user associated with the -adminUid parameter. The password restrictions depend upon the password policy for our ISAM configuration.

Optional parameters:

-adminUid

This property specifies the ISAM administrator name. If not specified, sec_master is the default. A valid administrative ID is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. We cannot use a space in the administrative ID.

-force

This property indicates whether or not this task should stop when an error is encountered. The default is no.

-defer

This property indicates whether this task should be run immediately or deferred until the startup of the WAS. The default is no.

Interactive mode example usage:

• Use Jacl:
  $AdminTask unconfigureTAMTAIPdjrte {-interactive}

• Use Jython:
  AdminTask.unconfigureTAMTAIPdjrte('-interactive')

wsadmin AdminTask

Configure SSO using trust association interceptor ++

Configure SSO capability with ISAM WebSEAL

Commands for the AdminTask object