WebSphere Application Server - Express, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

The Tivoli Access Manager migrateEAR utility

Purpose

Migrates changes made to console users and groups in the admin-authz.xml file into the Tivoli Access Manager object space.

Syntax

migrateEAR
-j admin-authz.html_path_name
-c pdPerm.properties_file_location
-a Tivoli_Access_Manager_administrator_ID
-p Tivoli_Access_Manager_administrator_password
-w WebSphere_Application_Server_administrator_user_name
-d user_registry_domain_suffix
[-r root_objectspace_name]
[-t ssl_timeout]

Parameters

-a Tivoli_Access_Manager_administrator_ID
Specifies the administrative user identifier. The administrative user must have the privileges required to create users, objects, and access control lists (ACLs). For example, -a sec_master.

This parameter is optional. When the parameter is not specified, you are prompted to supply it at run time.

-c PdPerm.properties_file_location
Specifies the Uniform Resource Indicator (URI) location of the PdPerm.properties file that is configured by the pdwascfg utility. When WebSphere Application Server is installed in the default location, the URI is:
[Solaris][Linux][HP-UX]
file:/opt/IBM/WebSphere/AppServer/java/jre/PdPerm.properties
[AIX]
file:/usr/IBM/WebSphere/AppServer/java/jre/PdPerm.properties
[Windows]
file:/”c:/install_dir/java/jre/PdPerm.properties”
-d user_registry_domain_suffix
Specifies the domain suffix for the user registry to use. For example, for Lightweight Directory Access Protocol (LDAP) user registries, this value is the domain suffix, such as: "o=ibm,c=us"

[Windows]Windows platforms require that the domain suffix is enclosed within quotes.

You can use the pdadmin user show command to display the distinguished name (DN) for a user.

-j admin-authz.html_path_name
Specifies the fully qualified path and file name of the Java 2 Platform Enterprise Edition application archive file. Optionally, this path can also be a directory of an expanded enterprise application. When WebSphere Application Server is installed in the default location, the paths to data files to migrate include:
[Solaris][Linux][HP-UX]
file:/opt/IBM/WebSphere/AppServer/profiles/profile_name/config/cells/cell_name/admin-authz.xml
[AIX]
file:/usr/IBM/WebSphere/AppServer/profiles/profile_name/config/cells/cell_name/admin-authz.xml
[Windows]
“c:/install_dir/profiles/profile_name/config/cells/cell_name/admin-authz.xml”
-p Tivoli_Access_Manager_administrator_password
Specifies the password for the Tivoli Access Manager administrative user. The administrative user must have the privileges required to create users, objects, and access control lists (ACLs). For example, you can specify the password for the -a sec_master administrative user as -p myPassword.

When this parameter is not specified, the user is prompted to supply the password for the administrative user name.

-r root_objectspace_name
Specifies the space name of the root object. The value is the name of the root of the protected object namespace hierarchy that is created for WebSphere Application Server policy data.

The default value for the root object space is WebAppServer.

The Tivoli Access Manager root object space name is set by modifying the amwas.amjacc.template.properties property prior to configuring the Tivoli Access Manager Java Authorization Contract for Containers (JACC) provider for the first time. Use this option if the default object space value is not used in the configuration of the Tivoli Access Manager JACC provider.

Do not change the Tivoli Access Manager object space name after the Tivoli Access Manager JACC provider is configured.

-t ssl_timeout
Specifies the number of minutes for the Secure Sockets Layer (SSL) timeout. This parameter is used to disconnect and reconnect the SSL context between the Tivoli Access Manager authorization server and policy server before the default connection times out.

The default is 60 minutes. The minimum is 10 minutes. The maximum value cannot exceed the Tivoli Access Manager ssl-v3-timeout value. The default value for ssl-v3-timeout is 120 minutes.

If you are not familiar with the administration of this value, you can safely use the default value.

-w WebSphere_Application_Server_administrator_user_name
Specifies the user name that is configured in the WebSphere Application Server security user registry field as the administrator. This value matches the account that you created or imported in Creating the security administrative user. Access permission for this user is needed to create or update the Tivoli Access Manager protected object space.

When the WebSphere Application Server administrative user does not already exist in the protected object space, it is created or imported. In this case, a random password is generated for the user and the account is set to not valid. Change this password to a known value and set the account to valid.

A protected object and access control list (ACL) are created. The administrative user is added to the pdwas-admin group with the following ACL attributes:
T
Traverse permission
i
Invoke permission
WebAppServer
Specifies the action group name. WebAppServer is the default name. This action group name (and the matching root object space) can be overwritten when the migration utility is run with the -r option.

Comments

This utility migrates security policy information from deployment descriptors (enterprise archive files) to Tivoli Access Manager for WebSphere Application Server. The script calls the Java class: com.tivoli.pdwas.migrate.Migrate.

Before invoking the script you must run setupCmdLine.bat or setupCmdLine.sh. These files can be found in the %WAS_HOME%/bin directory.

The script is dependent on finding the correct environment variables for the location of prerequisite software. The script calls Java code with the following options:
-Dpdwas.lang.home
The directory containing the native language support libraries that are provided with the Tivoli Access Manager JACC provider. These libraries are located in a subdirectory under the Tivoli Access Manager JACC provider installation directory. For example: -Dpdwas.lang.home=%PDWAS_HOME%\java\nls
-cp %CLASSPATH% com.tivoli.pdwas.migrate.Migrate
The CLASSPATH variable must be set correctly for your Java installation.
[Windows]Both the -j option and the -c option can reference the %WAS_HOME% variable to determine where WebSphere Application Server is installed. This information is used to:
  • Build the full path name of the enterprise archive file.
  • Build the full URI path name to the location of the PdPerm.properties file.

Return codes

The utility can return the following exit status codes:
0
The command completed successfully.
1
The command failed.
Reference topic    

Terms of Use | Feedback

Last updated: Jun 8, 2005 12:45:23 PM EDT
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/rsec_TAM_JACC_migrateear.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)