Migrate trust association interceptors

Changes to the WebSphere implementation for the WebSeal trust association interceptor

For the WebSphere implementation for the WebSeal server a new optional property com.ibm.websphere.security.webseal.ignoreProxy has been added. If this property is set to true or yes, the implementation does not check for the proxy host names and the proxy ports to match any of the host names and ports listed in the com.ibm.websphere.security.webseal.hostnames and the com.ibm.websphere.security.webseal.ports properties, respectively. For example, if the VIA header contains this information:

HTTP/1.1 Fred (Proxy), 1.1 Sam (Apache/1.1), HTTP/1.1 webseal1:7002, 1.1 webseal2:7001

and the com.ibm.websphere.security.webseal.ignoreProxy is set to true or yes, the host name Fred is not used when matching the host names. By default, this property is not set, and any proxy host names and ports expected in the VIA header should be listed in the host names and the ports properties to satisfy the isTargetInterceptor method.

Migrate the WebSphere implementation for the WebSeal trust association interceptors

The properties located in the webseal.properties and trustedserver.properties files are not migrated from previous versions of the WebSphere Application Server. You must use the administrative console to migrate the appropriate properties to WebSphere Application Server, Version 5. For more information, see Configure a trust association interceptor.

Changes to the custom trust association interceptors

If the custom interceptor extends com.ibm.websphere.security.WebSphereBaseTrustAssociationInterceptor, then implement this method to initialize the interceptor:

public int init (java.util.Properties props);

This is a new method that replaces the public int init (String propsFile) method.

Version 5.0.2 or later: WebSphere Application Server checks the return status before using the Trust Association implementation. Zero (0) is the default value for indicating that the interceptor was successfully initialized. However, if a previous implementation of the trust association interceptor returns a different error status, you can either change your implementation to match the expectations or make one of the following changes:

• Add the com.ibm.websphere.security.trustassociation.initStatus property in the trust association interceptor custom properties. Set the property to the value that indicates that the interceptor is successfully initialized. All of the other possible values imply failure. In case of failure, the corresponding trust association interceptor is not used.

• Add the com.ibm.websphere.security.trustassociation.ignoreInitStatus property in the trust association interceptor custom properties. Set the value of this property to true, which tells WebSphere Application Server to ignore the status of this method. If you add this property to the custom properties, WebSphere Application Server does not check the return status, which is similar to previous versions of WebSphere Application Server.

The init(Properties) method accepts a java.util.Properties object that specifies the properties that are required to initialize the interceptor. All of the properties set for an interceptor are sent to this method. The interceptor can then use these properties to initialize itself. For example, in the WebSphere implementation for the WebSeal server, this method reads the hosts and ports so that incoming requests can be verified to come from trusted hosts and ports. A return value of 0 indicates that the interceptor initialization is successful. Any other value indicates that the initialization was not successful and the interceptor is ignored.

The init(String) method still works if you want to use it instead of implementing the init(Properties) method. The only requirement is that the file name containing the custom trust association properties should now be entered using the Custom Properties link of the interceptor in the administrative console or by using scripts. You can enter the property using either of the following methods (The first method is used for backward compatibility with previous versions of WebSphere Application Server):

• The same property names used in the previous release are used to obtain the file name. The file name is obtained by concatenating the .config extension to the com.ibm.websphere.security.trustassociation.types property value. For example, if the file name is called myTAI.properties and is located in the /QIBM/ProdData/WebAS5/UserData/Base/myInstance/properties directory, set the following properties:

  com.ibm.websphere.security.trustassociation.types = myTAItype 
  com.ibm.websphere.security.trustassociation.myTAItype.config =
    /QIBM/ProdData/WebAS5/UserData/Base/myInstance/properties

• Set the com.ibm.websphere.security.trustassociation.initPropsFile property in the trust association custom properties to the location of the file. For example, set the following property:

  com.ibm.websphere.security.trustassociation.initPropsFile=
    /QIBM/ProdData/WebAS5/UserData/Base/myInstance/properties

Note: These property values have been wrapped for display purposes. Type the property and value as a single, continuous line.

In Network Deployment, where the location of the file name can vary for different nodes, use the variable ${USER_INSTALL_ROOT} to refer to the WebSphere Application Server installation directory. However, it is highly recommened that your implementation be changed to implement the init(Properties) method instead of relying on init (String propsfile) method.

Migrate custom trust association interceptors

The trust associations from previous versions of WebSphere Application Server are not migrated to Version 5. Users can manually migrate these trust asociations using the following steps:

1. Recompile the implementation file, if necessary.
   To recompile the implementation file, run this command:

   %WAS_HOME%/java/bin/javac -classpath %WAS_HOME%/lib/wssec.jar;
     %WAS_HOME%/lib/j2ee.jar implementation_file.java

   Note: This command has been wrapped for display purposes. Enter the command on a single line.

2. Copy the custom trust association interceptor class files to a location in your classpath.
   It is recommended that you copy these class files into the %WAS_HOME%/classes directory. If you are running WebSphere Application Server Network Deployment, copy this class file into the classpath of each node and cell.

3. Start the WebSphere Application Server.

4. Enable security to use the trust association interceptor.
   The properties located in your custom trust association properties file and in the trustedserver.properties file are not migrated from previous versions of WebSphere Application Server to version 5. Use the administrative console to migrate the appropriate properties to WebSphere Application Server Version 5. For more information, see Develop a custom interceptor for trust associations.