Security and scripting
 Technote (troubleshooting)
 
Problem(Abstract)
When security is enabled for a WebSphere® Application Server Network Deployment cell, users of wsadmin need to specify authentication information to be able to connect to servers.
 
Resolving the problem
When security is enabled for a WebSphere Application Server cell, users of wsadmin need to specify authentication information to be able to connect to servers. User and password information can be specified on the command line using the -user and -password options:
  • For an RMI Connection:
    wsadmin -conntype RMI -port 2809 -user u1 -password secret1
  • For a SOAP Connection:
    wsadmin -conntype SOAP -port 2809 -user u1 -password secret1

Unlike other wsadmin command line options (conntype and port, for example) user and password information cannot be specified in the wsadmin.properties file. The user and password information can be specified in sas.client.props and soap.client.props files.
Use the -p option to specify the different wsadmin properties other than those found in the install_root\bin\wsadmin.properties file.

For an RMI connection, edit the sas.client.props file:
  1. Find the following two lines and add the appropriate user ID and password:
    com.ibm.CORBA.loginUserid=
    com.ibm.CORBA.loginPassword=
  2. Find the following line and change the default value from prompt to properties:
    com.ibm.CORBA.loginSource=properties

    Note: If this value is left as prompt, wsadmin script invocation causes a window to display with a password prompt. If the script is running unattended, it will seem to hang.
  3. Ensure the default value of true is set for the following line:
    com.ibm.CORBA.securityEnabled=true

For a SOAP connection, edit the soap.client.props file:
There is no corresponding loginSource property for SOAP connections.
  1. Find the following two lines and add the appropriate user ID and password:
    com.ibm.SOAP.loginUserid=
    com.ibm.SOAP.loginPassword=
  2. Ensure that the default value of true is set for the following line:
    com.ibm.SOAP.securityEnabled=true

Notes:
  1. Use the command line options -user and -password to overwrite the user ID and password that is defined in the soap.client.props or the sas.client.props file.
  2. You can use the PropFilePasswordEncoder utility to encode passwords in the two above-mentioned properties files. To edit an encoded password, replace the whole password string (including the encoding tag {...}) with the new password, then encode the password with the PropFilePasswordEncoder utility. This utility file is located at
    install_root \bin\PropFilePasswordEncoder.bat/sh.
  3. Enabling security through soap.client.props or the sas.client.props will not enable WebSphere global security.

Setting up wsadmin to use a specific sas.client.props or soap.client.props file

To do this, you must edit the wsadmin.bat/sh file and set the CLIENTSAS or CLIENTSOAP to the correct value for your wsadmin instance.

Example: Setting loginUserid and loginPassword in the soap.client.props or the sas.client.props file. If another user wants to connect to this particular port, he or she must use the same user ID and password.
1. Make a backup copy of the wsadmin.bat/sh file.
2. Edit the wsadmin.bat/sh file and locate this line:
SET USER_INSTALL_ROOT=%WAS_HOME%

then:

For RMI add as the next line:
SET CLIENTSAS=-Dcom.ibm.CORBA.ConfigURL=file:/%WAS_HOME%/
properties/wsadminsas.client.props

For SOAP add as the next line:
SET CLIENTSOAP=-Dcom.ibm.SOAP.ConfigURL=file:/%WAS_HOME%/
properties/wsadminsoap.client.props

Setting up multiple wsadmin clients with multiple user IDs
  1. Make a copy of the wsadmin.bat/sh for each user.
  2. Follow the steps above to create a different sas.client.props or soap.client.props file. Each user has their own copy of the sas.client.props or soap.client.props file.
  3. Specify a different user ID and password for each of the sas.client.props or soap.client.props files. Each user has their own user IS and password in their own copy of the sas.client.props or soap.client.props file.

Note: If WebSphere global security is enabled, the user ID specified in the sas.client.props or soap.client.props file must be valid within the user registry.
Additional Information Sources
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): Windows
Software version: 5.0
Software edition:
Reference #: 1142299
IBM Group: Software Group
Modified date: Mar 10, 2004