WebSphere Enterprise Service Bus for z/OS, Version 6.2.0 Operating Systems: z/OS


ConsolidateJAASAuthAliases.py script

ConsolidateJAASAuthAliases.py is a wsadmin script to consolidate the several JAAS authentication aliases defined for database access by the augment process.

Introduction

When a WebSphere® ESB for z/OS® server accesses a secure database subsystem, one of the security mechanisms available to it involves the use of JAAS authentication aliases. A JAAS authentication alias specifies a user identifier and password that is provided when the database subsystem requests authentication credentials. The augment process defines a set of JAAS authentication aliases which are associated with the various data sources and service integration buses for use when they access the database. The aliases are also assigned to a number of WebSphere Relational Resource Adapter CMP Connection Factories.

A fully configured WebSphere ESB system consists of the following resources and JAAS authentication aliases defined by the augment process:

Table 1. JAAS authentication aliases
Data Sources JAAS Authentication Alias
BPEDataSourceDb2zOS BPCDB_<node>.<server>_Auth_Alias
Business Process Choreographer ME data source None
CEI ME data source CEIME_<node>.<server>_Auth_Alias
ESBLoggerMediationDataSource WPSDB_Auth_Alias
SCA Application Bus ME data source SCAAPPME00_Auth_Alias
SCA System Bus ME data source SCASYSME00_Auth_Alias
WBI_DataSource WPSDB_Auth_Alias
event <cell>/<node>/<server>/EventAuthDataAliasDB2ZOS
event_catalog <cell>/<node>/<server>/EventAuthDataAliasDB2ZOS
CMP Connection Factories JAAS Authentication Alias
WBI_DataSource_CF WPSDB_Auth_Alias (component-managed)
  WPDDB_Auth_Alias (container-managed)
Business Process Choreographer ME data source_CF None
CEI ME data source_CF CEIME_<node>.<server>_Auth_Alias (component-managed)
  CEIME_<node>.<server>_Auth_Alias (container-managed)
SCA Application Bus ME data source_CF SCAAPPME00_Auth_Alias (component-managed)
  SCAAPPME00_Auth_Alias (container-managed)
SCA System Bus ME data source_CF SCASYSME00_Auth_Alias (component-managed)
  SCASYSME00_Auth_Alias (container-managed)
event_catalog_CF <cell>/<node>/<server>/EventAuthDataAliasDB2ZOS (container managed)
SIBuses JAAS Authentication Alias
<node>.<server>-BPC<cell>Bus BPCME_00_Auth_Alias
<node>.<server>-CommonEventInfrastructure.Bus CEIME_<node>.<server>_Auth_Alias
<node>.<server>-SCA.APPLICATION.<cell>.Bus None
<node>.<server>-SCA.SYSTEM.<cell>.Bus None

On z/OS all the various data repositories are defined to access the same z/OS database subsystem, for example DB2 for z/OS. In addition, authentication to this common database subsystem is carried out using the same user identifier and password. It would not be uncommon for many, if not all, of the JAAS authentication aliases defined by the augment process to be defined with the same user identifier and password.

Having a number of JAAS authentication aliases defined with the same user identifier and password parameters presents a number of concerns:
  • The password for database access will not normally expire, but if it needs to be changed for some reason, it needs to be changed in all the JAAS authentication aliases.
  • The administrative console panel for working with JAAS authentication aliases is more cluttered which reduces usability.
  • The names of the JAAS authentication aliases may not conform to local naming conventions.

Purpose

The ConsolidateJAASAuthAliases.py script may optionally be run to address these issues. The script is invoked by the WebSphere wsadmin utility to perform the following actions:
  • Consolidates the various JAAS authentication aliases listed in Table 1 into a single entry
  • Reassigns all the resources which referenced the original aliases to use the new alias
  • Deletes the original aliases.
The result is a single JAAS authentication alias used to authenticate database access for all the resources created by the WebSphere ESB for z/OS configuration process.

ConsolidateJAASAuthAliases script

The wsadmin Jython script can be used to consolidate the various JAAS authentication aliases created by WebSphere ESB or WESB configuration into a single entry.

By default the location of the script is /usr/lpp/zWESB/V6R2/zos.config/samples.

Scope of the script

The script was originally developed for WebSphere ESB or WESB for z/OS V6.1.0.1 running on WebSphere Application Server for z/OS V6.1.0.15. The script was tested against a standalone server and a network deployment cell consisting of the deployment manager node and a single application server node.

Invocation of the script

The script is provided as an argument to the WebSphere wsadmin tool. There are seven mandatory parameters and one optional parameter to supply to the script. An example invocation command (split over several lines to improve clarity) follows:
/AppServerRoot/bin/wsadmin.sh
	-host <host name>
	-port <host port>
	-lang jython
	-f ConsolidateJAASAuthAliases.py
	<JAAS authentication alias name>
	<user ID>
	<password>
	[scan mode]
  • -host <host name> The host address of the target server, or of the deployment manager for a network deployment cell.
  • -port <host port> The SOAP port number of the target server.
  • -lang jython The language the script is written in, Jython.
  • -f ConsolidateJAASAuthAliases.py If the script is not located in the current directory, then you will need to include the path in which the script is stored.
  • <JAAS authentication alias name> The name of the new JAAS authentication alias to be created. This can be any name, but it is good practice to choose a descriptive name, for example WPSDBAccess.
  • <user ID> The user identifier to be provided for authentication to the database subsystem.
  • <password> The password to be provided for authentication to the database subsystem.
  • [scan mode] Is an optional parameter. If this parameter is missing, i.e. only three parameters are provided to the script, any changes made by the script are committed when the script completes processing. If any string is provided as an eighth parameter, the script reports all the changes that it would make, but they are rolled back when the script completes processing. Scan mode can be useful for assessing the scope of the changes that the script will effect.

The script provides a report of all the actions it has taken.

Script processing

Processing of the script is made up of the following steps:
  1. Create a new JAAS authentication alias based on the parameters provided to the script.
  2. Identify all the JAAS authentication aliases of interest. The script searches through the list of all aliases looking for alias names that match the following patterns:
    1. Starts with “BPCDB_”
    2. Starts with “BPCME_”
    3. Starts with “CEIME_”
    4. Starts with “SCAAPPME”
    5. Starts with “SCASYSME”
    6. Ends with “EventAuthDataAliasDB2ZOS”
    7. Is equal to “WPSDB_Auth_Alias”.
  3. For each identified alias, all occurrences of it are replaced with the new alias in JDBC data source definitions. The exception to this is data sources with a container managed alias such as event_catalog. Container managed aliases are deprecated, so they are replaced with the new alias as a component managed alias.
  4. For each identified alias, all occurrences of it are replaced with the new alias in SIBus messaging engine data store definitions.
  5. For each identified alias, all occurrences of it are removed from WebSphere Relational Resource Adapter CMP connection factory definitions.
  6. All of the identified aliases are removed from the WebSphere configuration.

If no fourth parameter is supplied to the script, the changes are committed. If any string is provided as a fourth parameter, the changes are backed out, although the script will still report the changes that it would have made.

Sample output

Following is a sample execution of the script:
/WebSphere/V6T5N1/AppServer/bin:>
./wsadmin.sh -host winmvsp2 -port 20540 -lang jython -f
/u/healdr/Jython/ConsolidateJAASAuthAliases.py WPSDB2Access wsadmin admn4was
WASX7209I: Connected to process "serverN1" on node Node1MVSP2 using SOAP connector;  
The type of process is: UnManagedProcess
WASX7303I: The following options are passed to the scripting environment and are
 available as arguments that are stored in the argv variable: "[WPSDB2Access, wsadmin, admn4was]"

ConsolidateJAASAuthAliases: Starting

   Created JAAS alias: WPSDB2Access

   Replacing alias reference in data source: event
      T5Cell1Base/Node1MVSP2/serverN1/EventAuthDataAliasDB2ZOS => WPSDB2Access

   Replacing alias reference in data source: event_catalog
      Container-managed T5Cell1Base/Node1MVSP2/serverN1/EventAuthDataAliasDB2ZOS
 => Component-managed WPSDB2Access

   Removing alias reference from CMP connection factory: event_catalog_CF
      Container-managed T5Cell1Base/Node1MVSP2/serverN1/EventAuthDataAliasDB2ZOS

   Removing alias: T5Cell1Base/Node1MVSP2/serverN1/EventAuthDataAliasDB2ZOS

   Replacing alias reference in data source: BPEDataSourceDb2zOS
      BPCDB_Node1MVSP2.serverN1_Auth_Alias => WPSDB2Access

   Removing alias: BPCDB_Node1MVSP2.serverN1_Auth_Alias

   Replacing alias reference in SIBus data store of ME: Node1MVSP2.serverN1-BPC.
T5Cell1Base.Bus
      BPCME_00_Auth_Alias => WPSDB2Access

   Removing alias: BPCME_00_Auth_Alias

   Replacing alias reference in data source: SCA System Bus ME data source
      SCASYSME00_Auth_Alias => WPSDB2Access

   Replacing alias reference in SIBus data store of ME: Node1MVSP2.serverN1-SCA.
SYSTEM.T5Cell1Base.Bus
      SCASYSME00_Auth_Alias => WPSDB2Access

   Removing alias reference from CMP connection factory: SCA System Bus ME data
source_CF
      Component-managed SCASYSME00_Auth_Alias

   Removing alias reference from CMP connection factory: SCA System Bus ME data
source_CF
      Container-managed SCASYSME00_Auth_Alias

   Removing alias: SCASYSME00_Auth_Alias

   Replacing alias reference in data source: SCA Application Bus ME data source
      SCAAPPME00_Auth_Alias => WPSDB2Access

   Replacing alias reference in SIBus data store of ME: Node1MVSP2.serverN1-SCA.
APPLICATION.T5Cell1Base.Bus
      SCAAPPME00_Auth_Alias => WPSDB2Access

   Removing alias reference from CMP connection factory: SCA Application Bus ME
data source_CF
      Component-managed SCAAPPME00_Auth_Alias

   Removing alias reference from CMP connection factory: SCA Application Bus ME
data source_CF
      Container-managed SCAAPPME00_Auth_Alias

   Removing alias: SCAAPPME00_Auth_Alias

   Replacing alias reference in data source: CEI ME data source
      CEIME_Node1MVSP2.serverN1_Auth_Alias => WPSDB2Access

   Replacing alias reference in SIBus data store of ME: Node1MVSP2.serverN1-Comm
onEventInfrastructure_Bus
      CEIME_Node1MVSP2.serverN1_Auth_Alias => WPSDB2Access

   Removing alias reference from CMP connection factory: CEI ME data source_CF
      Component-managed CEIME_Node1MVSP2.serverN1_Auth_Alias

   Removing alias reference from CMP connection factory: CEI ME data source_CF
      Container-managed CEIME_Node1MVSP2.serverN1_Auth_Alias

   Removing alias: CEIME_Node1MVSP2.serverN1_Auth_Alias

   Replacing alias reference in data source: ESBLoggerMediationDataSource
      WPSDB_Auth_Alias => WPSDB2Access

   Replacing alias reference in data source: WBI_DataSource
      WPSDB_Auth_Alias => WPSDB2Access

   Removing alias reference from CMP connection factory: WBI_DataSource_CF
      Component-managed WPSDB_Auth_Alias

   Removing alias reference from CMP connection factory: WBI_DataSource_CF
      Container-managed WPSDB_Auth_Alias

   Removing alias: WPSDB_Auth_Alias

   Saving configuration

ConsolidateJAASAuthAliases: Completed
If the fourth scan mode parameter is provided, the “Saving configuration” message is replaced by “Running in scan mode, no updates committed” for example:
/WebSphere/V6T5DM/DeploymentManager/bin:>
./wsadmin.sh -host winmvsp1 -port 20510  -lang jython -f 
/u/healdr/Jython/ConsolidateJAASAuthAliases.py WPSDB2Access wsadmin admn4was scanit
WASX7209I: Connected to process "dmgr" on node NDNodeT5dmgrMVSP1 using SOAP connector;  The type of process is: DeploymentManager
WASX7303I: The following options are passed to the scripting environment and are
 available as arguments that are stored in the argv variable: "[WPSDB2Access, wsadmin, admn4was, scanit]"

ConsolidateJAASAuthAliases: Starting

   Created JAAS alias: WPSDB2Access

   …

   Removing alias: CEIME_Node1MVSP2.serverN1_Auth_Alias

   Running in scan mode, no updates committed

ConsolidateJAASAuthAliases: Completed

References

The following references provide more information about wsadmin and Jython scripting:


reference Reference topic

Terms of use | Feedback


Timestamp icon Last updated: 21 June 2010


http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/topic//com.ibm.websphere.wesb620.zseries.doc/doc/rins_zos_consolidateJAASauthaliases.html
Copyright IBM Corporation 2005, 2010. All Rights Reserved.
This information center is powered by Eclipse technology (http://www.eclipse.org).