Configure JAAS login modules using wsadmin.sh

Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Configure multiple security domains using scripting

Configure JAAS login modules using wsadmin.sh

Use this topic to use wsadmin.sh to configure and manage JAAS (JAAS) login entries to allow communication between realms in a multiple security domain environment.
We must meet the following requirements before configuring local operating system user registries:

We must have the administrator or new admin role.
Enable global security in the environment.

Configure multiple realms using security domains in the environment.

Procedure
Launch wsadmin.sh using the Jython scripting language. for more information.
Configure a JAAS login module.
Use the configureJAASLoginEntry command to configure a Java Authentication and Authorization Service (JAAS) login entry in a security domain or in the global security configuration. We can use this command to modify existing JAAS login entries or to create new login entries.
Specify the following parameters to configure the JAAS login module:

Command parameters. Run the configureJAASLoginEntry command to configure a JAAS login module.

Parameter Description
-loginEntryAlias Specifies an alias that identifies the JAAS login entry in the configuration. (String, required)
-loginType Type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String, required)
-securityDomainName Name of the security configuration. If you do not specify a security domain name, the system updates the global security configuration. (String, optional)
-loginModules Specifies a comma (,) separated list of login module class names. Specify the list in the order that the system calls them. (String, optional)
-authStrategies Optionally specifies the authentication behavior as authentication proceeds down the list of login modules. (String, optional)
Specify one or many of the following values in a comma (,) separated list:

REQUIRED
Specifies that the LoginModule module is required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list for each realm.
REQUISITE
Specifies that the LoginModule module is required to succeed. If authentication is successful, the process continues down the LoginModule list in the realm entry. If authentication fails, control immediately returns to the application. Authentication does not proceed down the LoginModule list.
SUFFICIENT
Specifies that the LoginModule module is not required to succeed. If authentication succeeds, control immediately returns to the application. Authentication does not proceed down the LoginModule list. If authentication fails, the process continues down the list.
OPTIONAL
Specifies that the LoginModule module is not required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list.

Use the configureJAASLoginEntry command to configure the JAAS login module, as the following Jython example demonstrates:
AdminTask.configureJAASLoginEntry('[-securityDomainName testDomain
-loginType application -loginEntryAlias testLoginEntry -loginModules
"com.ibm.ws.security.common.auth.module.WSLoginModuleImpl" -authStrategies "REQUIRED"]')
Set custom properties for the JAAS login module.
Use the configureLoginModule command to specify custom properties, modify the authentication strategy, or set the module to use a login module proxy. The following Jython command sets the debug and delegate custom properties for the testLoginEntry JAAS login entry:
AdminTask.configureLoginModule('[-securityDomainName testDomain -loginType application
-loginEntryAlias testLoginEntry -loginModule com.ibm.ws.security.common.auth.module.WSLoginModuleImpl
-customProperties ["debug=true","delegate=WSLogin"]]')
Save the configuration changes.
Save the configuration changes:
AdminConfig.save()
Local operating system registries
Configure security domains using scripting
Map resources to security domains using scripting
Remove resources from security domains using scripting
Remove security domains using scripting
Start the wsadmin scripting client using wsadmin.sh

Related

SecurityConfigurationCommands command group

+
Search Tips | Advanced Search

Parameter	Description
-loginEntryAlias	Specifies an alias that identifies the JAAS login entry in the configuration. (String, required)
-loginType	Type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String, required)
-securityDomainName	Name of the security configuration. If you do not specify a security domain name, the system updates the global security configuration. (String, optional)
-loginModules	Specifies a comma (,) separated list of login module class names. Specify the list in the order that the system calls them. (String, optional)
-authStrategies	Optionally specifies the authentication behavior as authentication proceeds down the list of login modules. (String, optional) Specify one or many of the following values in a comma (,) separated list: REQUIRED Specifies that the LoginModule module is required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list for each realm. REQUISITE Specifies that the LoginModule module is required to succeed. If authentication is successful, the process continues down the LoginModule list in the realm entry. If authentication fails, control immediately returns to the application. Authentication does not proceed down the LoginModule list. SUFFICIENT Specifies that the LoginModule module is not required to succeed. If authentication succeeds, control immediately returns to the application. Authentication does not proceed down the LoginModule list. If authentication fails, the process continues down the list. OPTIONAL Specifies that the LoginModule module is not required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list.