+

Search Tips   |   Advanced Search

Migrate with ISAM for authentication enabled on a single node

When Security Access Manager security is configured for our existing environment and security is enabled for a single node, we can migrate to WebSphere Application Server, v9.0.

Your profiles must be migrated using the migration tools to migrate product configurations.

Important: Do not restart the WAS v9.0 server until after performing the following procedure. The migration tools omit some files that enable the server to start correctly.

After migrating your profiles, additional steps are required when ISAM security is configured.

WAS v8.0 and later hosts ISAM specific files under the %WAS_HOME%/tivoli/tam directory. In previous versions, these files were hosted under the %WAS_HOME%/java/jre/ hierarchy.

In the following steps, %WASX% refers to the installation root of the source WAS product, and %WAS8% refers to the installation root of the target WAS product (the v8.0 installation root).


Tasks

  1. Copy the following files from the source location to target location.

    Source Location Target Location
    %WASX%\java\jre\PDPerm.properties %WAS8%\tivoli\tam\PDPerm.properties
    %WASX%\java\jre\lib\security\PdPerm.ks (if found) %WAS8%\tivoli\tam\lib\security\PdPerm.ks
    %WASX%\java\jre\lib\PdPerm.ks (if found) %WAS8%\tivoli\tam\PdPerm.ks
    %WASX%\java\jre\PolicyDirector\PDCA.ks %WAS8%\tivoli\tam\PolicyDirector\PDCA.ks
    %WASX%\java\jre\PolicyDirector\PD.properties %WAS8%\tivoli\tam\PolicyDirector\PD.properties
    %WASX%\java\jre\PolicyDirector\etc\pdjrte_paths %WAS8%\tivoli\tam\PolicyDirector\etc\pdjrte_paths
    %WASX%\java\jre\PolicyDirector\etc\pdjrte_mapping %WAS8%\tivoli\tam\PolicyDirector\etc\pdjrte_mapping

  2. Edit the PD.properties file, and change the following configuration settings: 
    appsvr-plcysvrs=null\:0:\:1
config_type=standalone
    Make the appropriate changes to point to your ISAM Policy Server, for example: 
    appsvr-plcysvrs=pdmgrd.test.gc.au.ibm.com\:7135\:1
config_type=full

  3. Edit the following four files on the target system and make sure that all of the path references are corrected:

    • %WAS8%/tivoli/tam/PdPerm.properties
    • %WAS8%/tivoli/tam/PolicyDirector/PD.properties
    • %WAS8%/tivoli/tam/PolicyDirector/etc/pdjrte_paths
    • %WAS8%/tivoli/tam/PolicyDirector/etc/pdjrte_mapping

    When we correct the paths in order:

    1. Ensure that all references from %WASX%/java/jre/PolicyDirector are changed to %WAS8%/tivoli/tam/PolicyDirector.

    2. Ensure that all references (in the PdPerm.properties file) from the%WASX%/java/jre/[security]/PdPerm.ks file are changed to %WAS8%/tivoli/tam/pdPerm.ks.

    3. Ensure that all remaining references from %WASX%/java/jre are changed to %WAS8%/java/jre.

    4. Edit the %WAS8%/tivoli/tam/PolicyDirector/etc/pdjrte_mapping file. It contains the JRE->JRE mapping: %WAS8%/java/jre=%WAS8%/java/jre.

      Change this mapping to JRE->tivoli/tam: %WAS8%/java/jre=%WAS8%/tivoli/tam.

  4. (iSeries) Copy the profile_root1/PolicyDirector directory and it's contents to profile_root2/PolicyDirector. For this example:

    • profile_root1 is the root directory of the profile being migrated.
    • profile_root2 is the root directory of the version 6.1 profile.

    1. From an IBM i command line, type STRQSH and press Enter.

    2. Type cp -R profile_root1/PolicyDirector profile_root2 and press Enter.

  5. (iSeries) Copy the key file of the profile being migrated to the version 8.0 profile. The location of the key file is defined in profile_root1/PolicyDirector/PdPerm.properties. For this example:

    • The PdPerm.properties file contains pdcert-url=file\:/QIBM/UserData/WebAS51/Base/AppSvr1/etc/AppSvr1.kdb.
    • /QIBM/UserData/WebAS51/Base/AppSvr1 is the root directory of a v6.1 profile.

    1. From an IBM i command line type STRQSH and press Enter.

    2. Type cp /QIBM/UserData/WebAS51/Base/AppSvr1/etc/AppSvr1.kdb profile_root2/etc/AppSvr1.kdb and press Enter.

  6. (iSeries) Edit the property values in profile_root2/PolicyDirector/PdPerm.properties and in profile_root2/PolicyDirector/Pd.properties to replace occurrences of profile_root1 with profile_root2 in the file path name values.


What to do next

Also see Migrating with ISAM for authentication enabled on multiple nodes for more information.

  • Migrate with ISAM for authentication enabled on multiple nodes
  • Migrate, coexist, and interoperate - Security considerations