Configure security authorization for Liberty profile servers on IBM i

Use the iAdmin GRANTAUTH command, we can authorize the QEJBSVR user profile to access the required resources for running the Liberty profile server.

Servers run under the QEJBSVR user profile if one of the following is true:

• The Liberty profile environment was installed as a feature of a product offering using the IBM Installation Manager.

• the Job Manager was used to install the Liberty profile environment and the Run optional installation scripts on IBM i targets option is selected. See Install Liberty profile resources using the job manager.

• The iAdmin POSTINSTALL command was called after Install the Liberty profile by extracting an archive file.

Also, QEJBSVR is granted authorization to files in the $WLP_USER_DIR and $WLP_OUTPUT_DIR locations in all of these installation scenarios. Additionally, when servers are created, QEJBSVR is granted authorization to server definition files and the $WLP_OUTPUT_DIR location.

This task provides example commands that show you how to authorize the QEJBSVR user profile to access the required resources for running the server after doing the following tasks:

• Create files manually or modifying the authorities on shared resources and server definitions files.

• Configure a server to access resources the QEJBSVR user profile is not yet authorized to.

Example

• Granting the server role to the QEJBSVR user profile for the shared resources, server definitions and output locations configured for the Liberty profile environment installed at /WAS/wlp directory.
  /WAS/wlp/lib/native/os400/bin/iAdmin GRANTAUTH –rolename server –userprofilename QEJBSVR

• Granting the server role to the QEJBSVR user profile for shared resources and server definitions in /WAS/myWlpServers/usr, and for any server output locations defined by the WLP_OUTPUT_DIR variable in files matching the definition in the /WAS/myWlpServers/usr/servers/*/server.env file.

  /WAS/wlp/lib/native/os400/bin/iAdmin GRANTAUTH –rolename server  –userprofilename QEJBSVR 
                                                 –userdir /WAS/myWlpServers/usr 

• Granting the server role to the QEJBSVR user profile for output location /WAS/myWlpOutput/servers.

  /WAS/wlp/lib/native/os400/bin/iAdmin GRANTAUTH –rolename server  –userprofilename QEJBSVR 
                                                 –outputdir /WAS/myWlpOutput/servers

Parent topic: Authorizing access to resources

Tasks:

Configure the Liberty profile server to start as a job in the QWAS85 subsystem on IBM i

Reference:

iAdmin command