com.tivoli.pd.jcfg.SvrSslCfg

After configuring the Java runtime on the application server host, for example WebSphere Application Server, on that host, run SvrSslCfg to register the appserver into the ISAM user registery and with the policy and authorization servers.

java com.tivoli.pd.jcfg.SvrSslCfg -action { config | unconfig | addsvr| rmsvr| chgsvr| setport | setdblisten | setdbref | replcert }
                                  -admin_id admin_user_ID
                                  -admin_pwd admin_password
                                  -appsvr_id application_server_name
                                  -appsvr_pwd application_server_password
                                  -port port_number
                                  -mode { local | remote }-host appserver_host
                                  -policysvr policy_server:port:rank [,...]
                                  -authzsvr authorization_server:port:rank [,...]
                                  -cfg_file /path/to/configuration_file
                                  -domain ISAM_domain
                                  -key_file /path/to/keystore_file
                                  -policysvr /path/to/truststore_file
                                  -msg_id message_identifier
                                  -dblisten { true | false }
                                  -dbrefresh refresh_interval_in_seconds
                                  -dbdir local_policy_database directory
                                  -cfg_action{ create | replace }
                                  -certrefresh { true | false }
                                  -ssl_v3_enable { true | false }-tls_v10_enable { true | false }
                                  -tls_v11_enable { true | false }
                                  -tls_v12_enable { true | false }
                                  -cipher_suites java_cipher_suite_list

As part of configuring, SvrSslCfg...

• Creates a user account and server entries representing the Java application server in the ISAM user registry.
• Creates a configuration file
• Creates two Java keystore files locally on the application server:
  • A keystore file that stores a client certificate.
  • A keystore file that stores a trusted signer certificate from ISAM server.

Unconfiguration removes the user and server entries from the user registry and cleans up the local configuration and keystore files.

The contents of an existing configuration file can be modified by using the SvrSslCfg class. The configuration file and the keystore file must exist when calling SvrSslCfg with all options other than –action config or –action unconfig.

We can specify multiple policy servers and authorization servers, giving each one a numeric rank, in the -policysvr and -authzsvr options of the com.tivoli.pd.jcfg.SvrSslCfg Java class. The rank specifies in what order the application attempts to connect to the defined servers. For example, if two servers are specified, one with rank 1 and another with rank 2, the application attempts to connect to the server with rank 1. If a connection cannot be established to server 1, the application attempts to connect to the server with rank 2. Even if only one server is specified, it still must have a rank setting.

The following options are parsed and processed into the configuration file:

• –port
• –mode local
• –dblisten
• –dbdir
• –dbrefresh

SvrSslCfg parameters

SvrSslCfg Parameter	Value
–admin_id user_ID	An ISAM user with administrative privileges. Required.
–admin_pwd password	Password associated with the ISAM administrative user specified. Required.
–appsvr_id name	The name of the application server. Required.
–port port_number	The TCP/IP port which the application server listens to for policy server notifications. Required.
–mode { local | remote }	Application server processes requests remotely or locally. Required.
–policysvr hostname:port:rank [,hostname2:port2:rank2...]	A list of ISAM policy servers to which the application server can communicate. Required. Format of this entry is host name, TCP/IP port number, and numeric rank, separated by colons. Multiple servers can be specified by separating them with commas. For example, the following indicates two policy servers, both using default TCP/IP port 7135, are available: primary.myco.com:7135:1,secondary.myco.com:7135:2
–authzsvr hostname:port:rank [,hostname2:port2:rank2...]	A list of authorization servers to which the application server can communicate. Required. Format of this entry is host name, TCP/IP port number, and numeric rank, separated by colons. Multiple servers can be specified by separating them with commas. For example, the following indicates 2 authorization servers, both using default TCP/IP port 7136, are available: secazn.myco.com:7136:2,primazn.myco.com:7136:1
–cfg_file file_name	Fully qualified name of the configuration file on the application server. SvrSslCfg –action config creates this file. The file name must have a .conf suffix. Specify any valid name. Required.
–key_file file_name	Fully qualified name of the keystore file on the application server. SvrSslCfg –action config creates this file. The file name must have a .ks suffix. Specify any valid name. Required.
-policysvr_truststore file_name	Fully qualified file name of the truststore file for the signer certificate of the policy server. Optional. Required if you are generating the configuration parameters to connect to a policy server different from the one that is configured for this Java runtime environment. If this parameter is not supplied, the Java application server must be configured to the same policy server as the Java runtime environment.
–msg_id message_identifier	An identifier that determines the directory in which to locate the trace and log files that are generated when using this application server. This identifier is used only if Tivoli Common Directory logging is enabled for the runtime. Optional. There is no default value. See the IBM Security Verify Access for Web: Troubleshooting Guide for more information on Tivoli Common Directory logging, message files, and message file locations.
–domain domain_name	The ISAM domain for the application server. Optional. Default is the local domain.
–appsvr_pwd password	The password for the user account in the user registry associated with the application server. Optional. If specified, the password must meet the current password rules in effect. Omitted, a default password is automatically generated.
–host host_name	Host name of the application server. Optional. Default is the local host.
–desc description	Description of the application server. Optional. Default value is empty (no description).
–groups group_names	The names of special groups the application server belongs to. Optional. Default is empty (no special groups).
–dblisten { true | false }	Application server listens for policy database updates. Optional. Default is true. This parameter is ignored when the mode parameter is set to remote.
–dbdir directory_name	The name of the directory to be used for the local copy of the policy database. Optional. If not specified, the default directory is the db directory, located just under the ISAM installation directory: installation_directory/db This parameter is ignored when the mode parameter is set to remote.
–dbrefresh number_of_seconds	The time interval, in seconds, the application server polls the policy server for policy database updates. Optional. Value must be greater than or equal to zero. The default value is 600 seconds, or every 10 minutes. This parameter is ignored if the mode parameter is set to remote.
–cfg_action { create | replace }	Whether the configuration and keystore files must be created on the application server or replaced. Optional. The default action is replace. When the create option is specified but the files exist, an exception is raised. When the replace option is specified, the configuration and keystore files must exist.
–certrefresh { true | false }	Application certificate must be renewed automatically at application startup. The certificate renewal is triggered when the certificate lifetime has past the half life point and is not expired. If the certificate expires, it cannot be renewed by restarting the application. Ro replace the certificate manually: java com.tivoli.pd.jcfg.SvrSslCfg -action replcert -admin_id sec_master -admin_pwd pwd -cfg_file <conf file of Java application>
ssl_v3_enable {true | false}	Enable SSL v3 protocol for secure channel communications. Optional. Default is true.
tls_v10_enable {true | false}	Enable TLS v1.0 protocol for secure channel communication. Optional. Default is true.
tls_v11_enable {true | false}	Enable TLS v1.1 protocol for secure channel communication. Optional. Default is true.
tls_v12_enable {true | false}	Enable TLS v1.2 protocol for secure channel communication. Optional. Default is true.
–cipher_suites java_cipher_suite_list	Comma-separated list of Java cipher suite names. For example: -cipher_suites SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256

Note

The com.tivoli.mts.SvrSslCfg class is deprecated in ISAM v10. Existing applications must be modified to use this new com.tivoli.pd.jcfg.SvrSslCfg class as the deprecated class will be removed in a future version of the product.

Class

This class is used to configure, unconfigure, and modify the configuration information associated with an Java application server.

public class SvrSslCfg extends java.lang.Object {
public static void main (java.lang.String[] argv)
throws PDException
}

See also

• Configure appservers into the domain
• –action config
  
• –action unconfig
  
• –action addsvr
  
• –action rmsvr
  
• –action chgsvr
  
• –action replcert
  
• –action setport
  
• –action setdbdir
  
• –action setdbref
  
• –action setdblisten
  
• –action setcertref
  

Parent topic: Authorization Java Developer Reference