It is possible that you have applications installed prior to enabling
the Java Authorization Contract for Containers (JACC)-based authorization.
You can start with default authorization and then move to an external provider-based
authorization using JACC later.
Before you begin
Best practice: Use the wsadmin tool to propagate information
to the JACC provider independent of the application installation process,
avoiding the need to reinstall applications. Also, during application installation
or modification you might have had problems propagating the security policy
information to the JACC provider. For example, network problems might occur,
the JACC provider might not be available, and so on. For these cases, the
security policy of the previously installed applications does not exist in
the JACC provider to make the access decisions. One choice is to reinstall
the applications involved. However, you can avoid reinstalling by using the
wsadmin scripting tool. Use this tool to propagate information to the JACC
provider independent of the application installation process.
bprac
The
tool uses the SecurityAdmin MBean to propagate the policy information in the
deployment descriptor of any installed application to the JACC provider. You
can invoke this tool using wsadmin at the base application server for base
and deployment manager level for Network Deployment. Note that the SecurityAdmin
MBean is available only when the server is running.
Use propagatePolicyToJACCProvider(String
appNames) to propagate the policy information in the deployment descriptor
of the enterprise archive (EAR) files to the JACC provider. If the RoleConfigurationFactory
and the RoleConfiguration interfaces are implemented by the JACC provider,
the authorization table information in the binding file of the EAR files is
also propagated to the provider. See Interfaces that support JACC
for more information about these interfaces.
The appNames
String contains the list of application names, delimited by a colon (:),
whose policy information must be stored in the provider. If a null value is
passed, the policy information of the deployed applications is propagated
to the provider.
Also, be aware of the following items:
- Before migrating applications to the Tivoli Access Manager JACC provider,
create or import the users and groups that are in the applications to Tivoli
Access Manager.
- Depending on the application or the number of applications that are propagated,
you might have to increase the request time-out period either in the soap.client.props file
in the directory profile_root/properties (if using SOAP) or
in the sas.client.props file (if using RMI) for the command to complete.
You can set the request time-out value to 0 to avoid the timeout problem,
and change it back to the original value after the command is run.