+

Search Tips   |   Advanced Search

 

Propagating security policy of installed applications to a JACC provider using wsadmin scripting

 

It is possible that you have applications installed prior to enabling the Java Authorization Contract for Containers (JACC)-based authorization. You can start with default authorization and then move to an external provider-based authorization using JACC later.

Best practice: Use the wsadmin tool to propagate information to the JACC provider independent of the application installation process, avoiding the need to reinstall applications. Also, during application installation or modification you might have had problems propagating the security policy information to the JACC provider. For example, network problems might occur, the JACC provider might not be available, and so on. For these cases, the security policy of the previously installed applications does not exist in the JACC provider to make the access decisions. One choice is to reinstall the applications involved. However, you can avoid reinstalling by using the wsadmin scripting tool. Use this tool to propagate information to the JACC provider independent of the application installation process.bprac

The tool uses the SecurityAdmin MBean to propagate the policy information in the deployment descriptor of any installed application to the JACC provider. You can invoke this tool using wsadmin at the base appserver for base and deployment manager level for ND. Note that the SecurityAdmin MBean is available only when the server is running.

Use propagatePolicyToJACCProvider(String appNames) to propagate the policy information in the deployment descriptor of the enterprise archive (EAR) files to the JACC provider. If the RoleConfigurationFactory and the RoleConfiguration interfaces are implemented by the JACC provider, the authorization table information in the binding file of the EAR files is also propagated to the provider. See Interfaces that support JACC for more information about these interfaces.

The appNames String contains the list of application names, delimited by a colon (:), whose policy information must be stored in the provider. If a null value is passed, the policy information of the deployed applications is propagated to the provider. Also, be aware of the following items:

 

Procedure

  1. Configure your JACC provider in WAS.

    See Authorizing access to J2EE resources using Tivoli Access Manager for more information.

  2. Restart the server.

  3. Enter the following commands: 

    //use the SecurityAdmin MBean at the Deployment Manager or the unmanaged base 
//appserver connect to the appropriate process (Deployment Manager or 
//base appserver)  wsadmin -user serverID -password serverPWD
// To get the SecurityAdmin MBean for Deployment Manager wsadmin> set secadm [$AdminControl queryNames type=SecurityAdmin,process=dmgr,*]
// or to get the SecurityAdmin MBean for a unmanaged base appserver 
//(replace the process name to match the configuration) wsadmin> set secadm [$AdminControl queryNames 
         type=SecurityAdmin,process=server1,*]
// to propagate specific applications security policy information wsadmin>set appNames [list app1:app2]
// or to propagate all applications installed wsadmin>set appNames [list null]

// Run the command to propagate wsadmin>$AdminControl invoke $secadm propagatePolicyToJACCProvider $appNames


Authorization providers
Tivoli Access Manager integration as the JACC provider
JACC providers
JACC support in WAS

 

Related tasks


Authorizing access to J2EE resources using Tivoli Access Manager
Enabling an external JACC provider

 

Related Reference


Interfaces that support JACC
Security authorization provider troubleshooting tips