Use this topic to manually migrate trust associations.
Before you begin
Note: Data sources are not supported for use within a Trust Association
Interceptor (TAI). Data sources are intended for use within J2EE applications
and designed to operate within the EJB and Web containers. Trust Association
Interceptors do not run within a container, and while data sources may function
in the TAI environment, they are untested and not guaranteed to function properly.
The
following topics are addressed in this document:
Changes to the product-provided trust association
interceptors
For the product-provided implementation for the WebSEAL
server, a new optional com.ibm.websphere.security.webseal.ignoreProxy property
is added. If this property is set to
true or
yes, the implementation
does not check for the proxy host names and the proxy ports to match any of
the host names and ports that are listed in the com.ibm.websphere.security.webseal.hostnames
and the com.ibm.websphere.security.webseal.ports property respectively. For
example, if the VIA header contains the following information:
HTTP/1.1 Fred (Proxy), 1.1 Sam (Apache/1.1),
HTTP/1.1 webseal1:7002, 1.1 webseal2:7001
and the com.ibm.websphere.security.webseal.ignoreProxy
property is set to true or yes, the host name Fred,
is not used when matching the host names. By default, this property is not
set, which implies that any proxy host names and ports that are expected in
the VIA header are listed in the host names and the ports properties to satisfy
the isTargetInterceptor method.
The previous VIA header information
was split onto two lines for illustrative purposes only.
For
more information about the com.ibm.websphere.security.webseal.ignoreProxy
property, see Configuring
single signon using trust association interceptor ++.
Migrating
product-provided trust association interceptors
The properties that
are located in the webseal.properties and trustedserver.properties files
are not migrated from previous versions of WebSphere Application Server. You
must migrate the appropriate properties to WebSphere Application Server Version
6.0.x using the trust association panels in the administrative console.
For more information, see Configuring
trust association interceptors.
Changes to
the custom trust association interceptors
If the custom interceptor
extends the com.ibm.websphere.security.WebSphereBaseTrustAssociationInterceptor
property, implement the following new method to initialize the interceptor:
public int init (java.util.Properties props);
WebSphere Application Server checks the return status before using the
trust association implementation. Zero (0) is the default value for indicating
that the interceptor is successfully initialized.
However, if a previous
implementation of the trust association interceptor returns a different error
status, you can either change your implementation to match the expectations
or make one of the following changes:
- Method 1:
- Add the com.ibm.websphere.security.trustassociation.initStatus property
in the trust association interceptor custom properties. Set the property to
the value that indicates the interceptor is successfully initialized. All
of the other possible values imply failure. In case of failure, the corresponding
trust association interceptor is not used.
- Method 2:
- Add the com.ibm.websphere.security.trustassociation.ignoreInitStatus property
in the trust association interceptor custom properties. Set the value of this
property to true, which tells WebSphere Application Server to ignore
the status of this method. If you add this property to the custom properties,
WebSphere Application Server does not check the return status, which is similar
to previous versions of WebSphere Application Server.
The public int init (java.util.Properties props method
replaces the public int init (String propsFile) method.
The init(Properties)
method accepts a java.util.Properties object, which contains the set of properties
that is required to initialize the interceptor. All of the properties set
for an interceptor are sent to this method. The interceptor can then use these
properties to initialize itself. For example, in the product-provided implementation
for the WebSEAL server, this method reads the hosts and ports so that a request
coming in can be verified to come from trusted hosts and ports. A return value
of Zero (0) implies that the interceptor initialization is successful. Any
other value implies that the initialization is not successful and the interceptor
is not used.
The init(String) method still works if you want to use
it instead of implementing the init(Properties) method. The only requirement
is that you enter the file name containing the custom trust association properties
using the
Custom Properties link of the interceptor in the administrative
console or by using scripts. You can enter the property using either of the
following methods. The first method is used for backward compatibility with
previous versions of WebSphere Application Server.
- Method 1:
- The same property names used in the previous release are used to obtain
the file name. The file name is obtained by concatenating .config to
the com.ibm.websphere.security.trustassociation.types property value. If the myTAI.properties file
is located in the app_server_root/properties directory,
set the following properties:
- com.ibm.websphere.security.trustassociation.types = myTAItype
- com.ibm.websphere.security.trustassociation.myTAItype.config = app_server_root/properties/myTAI.properties
- Method 1:
- The same property names used in the previous release are used to obtain
the file name. The file name is obtained by concatenating .config to
the com.ibm.websphere.security.trustassociation.types property value. If the myTAI.properties file
is located in the profile_root/properties directory,
set the following properties:
- com.ibm.websphere.security.trustassociation.types = myTAItype
- com.ibm.websphere.security.trustassociation.myTAItype.config = profile_root/properties/myTAI.properties
- Method 2:
- You can set the com.ibm.websphere.security.trustassociation.initPropsFile
property in the trust association custom properties to the location of the
file. For example, set the following property:
com.ibm.websphere.security.trustassociation.initPropsFile=
app_server_root/properties/myTAI.properties
The
previous line of code is split into two lines for illustrative purposes only.
Type as one continuous line.
- Method 2:
- You can set the com.ibm.websphere.security.trustassociation.initPropsFile
property in the trust association custom properties to the location of the
file. For example, set the following property:
com.ibm.websphere.security.trustassociation.initPropsFile=
profile_root/properties/myTAI.properties
The previous line of code is split into two lines for illustrative
purposes only. Type as one continuous line.
In
a Network Deployment installation, where the location of the file name can
vary for different nodes, use the variable install_root to refer
to the WebSphere Application Server installation directory.
However,
it is highly recommended that your implementation be changed to implement
the init(Properties) method instead of relying on the init (String propsfile)
method.
Migrating custom trust association interceptors
The
trust associations from previous versions of WebSphere Application Server
are not automatically migrated to WebSphere Application Server Version 6.0.x and
later. You can manually migrate these trust associations using the following
steps: