Purpose
Migrates changes made to console users and groups in the admin-authz.xml file into the Tivoli Access Manager object space.
Syntax
migrateEAR
-j admin-authz.html_path_name
-c pdPerm.properties_file_location
-a Tivoli_Access_Manager_administrator_ID
-p Tivoli_Access_Manager_administrator_password
-w WebSphere_Application_Server_administrator_user_name
-d user_registry_domain_suffix
[-r root_objectspace_name]
[-t ssl_timeout]
Parameters
This parameter is optional. When the parameter is not specified, you are prompted to supply it at run time.
file:/opt/IBM/WebSphere/AppServer/java/jre/PdPerm.properties
file:/usr/IBM/WebSphere/AppServer/java/jre/PdPerm.properties
file:/”c:/install_dir/java/jre/PdPerm.properties”
Windows
platforms require that the domain suffix is enclosed within quotes.
You can use the pdadmin user show command to display the distinguished name (DN) for a user.
file:/opt/IBM/WebSphere/AppServer/profiles/profile_name/config/cells/cell_name/admin-authz.xml
file:/usr/IBM/WebSphere/AppServer/profiles/profile_name/config/cells/cell_name/admin-authz.xml
“c:/install_dir/profiles/profile_name/config/cells/cell_name/admin-authz.xml”
When this parameter is not specified, the user is prompted to supply the password for the administrative user name.
The default value for the root object space is WebAppServer.
The Tivoli Access Manager root object space name is set by modifying the amwas.amjacc.template.properties property prior to configuring the Tivoli Access Manager Java Authorization Contract for Containers (JACC) provider for the first time. Use this option if the default object space value is not used in the configuration of the Tivoli Access Manager JACC provider.
Do not change the Tivoli Access Manager object space name after the Tivoli Access Manager JACC provider is configured.
The default is 60 minutes. The minimum is 10 minutes. The maximum value cannot exceed the Tivoli Access Manager ssl-v3-timeout value. The default value for ssl-v3-timeout is 120 minutes.
If you are not familiar with the administration of this value, you can safely use the default value.
When the WebSphere Application Server administrative user does not already exist in the protected object space, it is created or imported. In this case, a random password is generated for the user and the account is set to not valid. Change this password to a known value and set the account to valid.
Comments
This utility migrates security policy information from deployment descriptors (enterprise archive files) to Tivoli Access Manager for WebSphere Application Server. The script calls the Java class: com.tivoli.pdwas.migrate.Migrate.
Before invoking the script you must run setupCmdLine.bat or setupCmdLine.sh. These files can be found in the %WAS_HOME%/bin directory.
Return codes