You can use the Jython or Jacl scripting languages to configure
embedded IBM Tivoli Access Manager with the wsadmin tool. The commands
and parameters in the TAMConfig group can be used to configure or
unconfigure Tivoli Access Manager.
The TAMConfig command group for the AdminTask object includes the
following commands:
configureTAM
Use the configureTAM command to manually configure the Tivoli Access Manager.
Target object
None.
Required parameters
None.
Optional parameters
None.
Examples
Interactive mode example
usage:
- Using Jacl:
$AdminTask configureTAM {-interactive}
- Using Jython string:
AdminTask.configureTAM ('[-interactive]')
- Using Jython list:
AdminTask.configureTAM (['-interactive'])
listTAMSettings
The listSSLRepertoires command lists all of the Secure Sockets Layer (SSL) configuration
instances that you can associate with an SSL inbound channel.If you
create a new SSL alias using the administrative console, the alias
name is automatically created in the node_name/alias_name format. However, if you create a new SSL alias using the wsadmin
tool, you must create the SSL alias and specify both the node name
and alias name in the node_name/alias_name format.
Target object
None.
Required parameters
None.
Optional parameters
None.
Examples
Interactive mode example
usage:
- Using Jacl:
$AdminTask listTAMSettings {-interactive}
- Using Jython string:
print AdminTask.listTAMSettings ('[-interactive]')
- Using Jython list:
print AdminTask.listTAMSettings (['-interactive'])
modifyTAM
The modifyTAM command modifies embedded Tivoli Access Manager configuration
settings.
Target object
None.
Required parameters
- -adminPasswd
- Specifies the Tivoli Access Manager administrator password. (String,
required)
Optional parameters
- -adminUid
- Specifies the Tivoli Access Manager user name. (String, optional)
- -nodeName
- Specifies the target node or nodes. Set the value as the * asterisk
character to specify all nodes. (String, optional)
Examples
Interactive
mode example usage:
- Using Jacl:
$AdminTask modifyTAM {-adminPasswd my11password}
- Using Jython:
AdminTask.modifyTAM('-adminPasswd my11password')
- Using Jython list:
AdminTask.modifyTAM(['-adminPasswd', 'my11password'])
Interactive mode example usage:
reconfigureTAM
The reconfigureTAM command reconfigures the Java Authorization Contract for Containers
(JACC) Tivoli Access Manager settings.
Target object
None.
Required parameters
None.
Optional parameters
None.
Examples
Interactive mode example
usage:
- Using Jacl:
$AdminTask reconfigureTAM {-interactive}
- Using Jython string:
AdminTask.reconfigureTAM ('[-interactive]')
- Using Jython list:
AdminTask.reconfigureTAM (['-interactive'])
unconfigureTAM
The unconfigureTAM command removes configuration data for the Java Authorization Contract
for Containers (JACC) Tivoli Access Manager.
Required parameters
None.
Optional parameters
None.
Examples
Interactive mode example
usage:
- Using Jacl:
$AdminTask unconfigureTAM {-interactive}
- Using Jython string:
AdminTask.unconfigureTAM ('[-interactive]')
- Using Jython list:
AdminTask.unconfigureTAM (['-interactive'])
configureTAMTAI
The configureTAMTAI command configures the embedded Tivoli® Access Manager trust association interceptor
(TAI) with classname TAMTrustAsociationInterceptorPlus.
Target object
None.
Required parameters
- -policySvr
- This property specifies the name of the Tivoli Access Manager policy server with which
the application server communicates. The server is specified by a
fully-qualified host name, the SSL port number, and the rank. The
default SSL port number is 7135. For example: myauth.mycompany.com:7135:1.
- -authSvrs
- This property specifies the name of the Tivoli Access Manager authorization server
with which the application server communicates. The server is specified
by a fully-qualified host name, the SSL port number, and the rank.
The default SSL port number is 7136. For example: myauth.mycompany.com:7136:1. You can specify multiple servers if the entries are separated by
a comma (,).
- -adminPasswd
- This property specifies the password of the Tivoli Access Manager administrator user that
is associated with the -adminUid parameter. The password restrictions
depend upon the password policy for your Tivoli Access Manager configuration.
- -loginId
- The WebSEAL trusted user as created in "Creating a trusted user
account in Tivoli Access
Manager". See the Configuring single sign-on using trust association
interceptor ++ article for more information. The format of the username
is the short name representation.
Optional parameters
- -adminUid
- This property specifies the Tivoli Access Manager administrator name. If this option is
not specified, sec_master is the default. A valid administrative
ID is an alphanumeric, case-sensitive string. String values are expected
to be characters that are part of the local code set. You cannot use
a space in the administrative ID.
For example, for U.S. English,
the valid characters are the letters a-Z, the numbers 0-9, a period
(.), an underscore (_), a plus sign (+), a hyphen (-), an at sign
(@), an ampersand (&), and an asterisk (*). The minimum and maximum
lengths of the administrative ID, if there are limits, are imposed
by the underlying registry.
- -secDomain
- This property specifies the Tivoli Access Manager domain name to which the administrator
is authenticated. This domain must exist and an administrator ID and
password must be valid for this domain. The application server is
specified in this domain. If the application server is not specified,
the default value is Default. The local domain value is retrieved
from the configuration file.
A valid domain name is an alphanumeric,
case-sensitive string. String values are expected to be characters
that are part of the local code set. You cannot use a space in the
domain name.
For example, for U.S. English, the valid characters
for domain names are the letters a-Z, the numbers 0-9, a period (
. ), an underscore (_), a plus sign (+), a hyphen (-), an at sign
(@), an ampersand (&), and an asterisk (*). The minimum and maximum
lengths of the domain name, if there are limits, are imposed by the
underlying registry.
- -checkViaHeader
- You can configure TAI so that the via header can be ignored when
validating trust for a request. Set this property to false if none of the hosts in the via header need to be trusted. When
set to false, you do not need to set the trusted host names and host
ports properties. The only mandatory property to check when the via
header is false is com.ibm.websphere.security.webseal.loginId. The
default value of the check via header property is false.
When using Tivoli Access
Manager plug-in for Web servers, set this property to false.
Note: The via header is part of the standard HTTP header that records the
server names that the request passed through.
- -id
- This property specifies a comma-separated list of headers that
exists in the request. If all of the configured headers do not exist
in the request, trust cannot be established. The default value for
the ID property is iv-creds. Any other values set in WebSphere® Application Server
are added to the list along with iv-creds, separated by commas.
- -hostnames
- Do not set this property if you are using the Tivoli Access Manager plug-in for Web servers.
This property specifies the host names (case-sensitive) that are both
trusted and expected in the request header. Requests arriving from
unlisted hosts might not be trusted. If the checkViaHeader property
is not set, or is set to false, then the trusted host names
property has no influence. If the checkViaHeader property is set to true, and the trusted host names property is not set, the TAI
initialization fails.
- -ports
- Do not set this property if you are using the Tivoli Access Manager plug-in for Web servers.
This property is a comma-separated list of trusted host ports. Requests
that arrive from unlisted ports might not be trusted. If the checkViaHeader
property is not set, or is set to false, then this property
has no influence. If the checkViaHeader property is set to true, and the trusted host ports property is not set in WebSphere Application Server, the TAI initialization
fails.
- -viaDepth
- This property indicates a positive integer that specifies the
number of source hosts in the via header to check for trust. By default,
every host in the via header is checked, and if any host is not trusted,
trust cannot be established. The viaDepth property is used when only
some of the hosts in the via header have to be trusted. The setting
indicates the number of hosts that are required to be trusted.
For
example, consider the following header:
If in via: HTTP/1.1
webseal1:7002, 1.1 webseal2:7001If the viaDepth property is not set,
is set to 2 or is set to 0, and a request with the previous via header
is received then both webseal1:7002 and webseal2:7001 need to be trusted.
The following configuration then applies:
com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2
If in com.ibm.websphere.security.webseal.ports
= 7002,7001If the viaDepth property is set to 1, and the previous
request is received, then only the last host in the via header needs
to be trusted. The following configuration then applies:
com.ibm.websphere.security.webseal.hostnames = webseal2
com.ibm.websphere.security.webseal.ports = 7001
The viaDepth property is set to 0 by default,
which means that all of the hosts in the via header are checked for
trust.
- -ssoPwdExpiry
- After trust is established for a request, the single sign-on user
password is cached, eliminating the need to have the TAI re-authenticate
the single sign-on user with Tivoli Access Manager for every request. You can modify the cache timeout
period by setting the single sign-on password expiry property to the
required time in seconds. If the password expiry property is set to
0, the cached password never expires. The default value for the password
expiry property is 600.
- -ignoreProxy
- This property can be used to tell the TAI to ignore proxies as
trusted hosts. If set to true the comments field of the hosts
entry in the via header is checked to determine if a host is a proxy.
Remember that not all proxies insert comments in the via header indicating
that they are proxies. The default value of the ignoreProxy property
is false. If the checkViaHeader property is set to false,
then the ignoreProxy property has no influence in establishing trust.
- -configURL
- For the TAI to establish trust for a request, it requires that
the SvrSslCfg task be run for the Java Virtual Machine on the Application Server and result in
the creation of a properties file. If this properties file is not
at the default URL, which is file://java.home/PdPerm.properties, the
correct URL of the properties file must be set in the configuration
URL property. If this property is not set, and the SvrSslCfg-generated
properties file is not in the default location, the TAI initialization
fails. The default value for the config URL property is file://${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties.
- -defer
- This property indicates whether the Tivoli Access Manager configuration portion
of this task should be run immediately or deferred until the startup
of the WebSphere Application
Server. The default value is no.
Note: The TAI properties
are updated immediately regardless of this setting.
Examples
Interactive
mode example usage:
unconfigureTAMTAI
The unconfigureTAMTAI command unconfigures the embedded Tivoli Access Manager Trust Association
Interceptor with classname TAMTrustAsociationInterceptorPlus. This
task does not include removing any custom properties from the security
configuration.
Target object
None.
Required parameters
- -adminPasswd
- Specifies the password of the Tivoli Access Manager administrator user that is associated
with the -adminUid parameter. The password restrictions depend upon
the password policy for your Tivoli Access Manager configuration.
Optional parameters
- -adminUid
- Specifies the Tivoli Access
Manager administrator name. If this option is not specified, sec_master is the default. A valid administrative ID is an alphanumeric, case-sensitive
string. String values are expected to be characters that are part
of the local code set. You cannot use a space in the administrative
ID.
For example, for U.S. English the valid characters are the letters
a-Z, the numbers 0-9, a period (.), an underscore (_), a plus sign
(+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk
(*). The minimum and maximum lengths of the administrative ID, if
there are limits, are imposed by the underlying registry.
- -force
- Indicates whether or not this task should stop when an error is
encountered. The default value is no.
- -defer
- Indicates whether this task should be run immediately or deferred
until the startup of the WebSphere Application Server. The default value is no.
Examples
Interactive
mode example usage:
configureTAMTAIProperties
The configureTAMTAIProperties command adds the custom properties
to the security configuration for the embedded Tivoli Access Manager Trust Association Interceptor
with classname TAMTrustAsociationInterceptorPlus.
Target object
None.
Required parameters
- -loginId
- The WebSEAL trusted user is created as discussed in "Creating
a trusted user account in Tivoli Access Manager". See the Configuring single sign-on using trust
association interceptor ++ article for more information. The format
of the username is the short name representation.
Optional parameters
- -checkViaHeader
- You can configure TAI so that the via header can be ignored when
validating trust for a request. Set this property to false if none
of the hosts in the via header need to be trusted. When set to false you do not need to set the trusted host names and host
ports properties. The only mandatory property to check when via header
is false is com.ibm.websphere.security.webseal.loginId. The default
value of the check via header property is false. When using Tivoli Access Manager plug-in
for Web servers, set this property to false.
Note: The via header is
part of the standard HTTP header that records the server names that
the request passed through.
- -id
- This property indicates a comma-separated list of headers that
exists in the request. If all of the configured headers do not exist
in the request, trust cannot be established. The default value for
the ID property is iv-creds. Any other values set in WebSphere Application Server
are added to the list along with iv-creds, separated by commas.
- -hostnames
- Do not set this property if using Tivoli Access Manager plug-in for Web Servers.
The property specifies the host names (case-sensitive) that are both
trusted and expected in the request header. Requests arriving from
unlisted hosts might not be trusted. If the checkViaHeader property
is not set, or is set to false, then the trusted host names
property has no influence. If the checkViaHeader property is set to true, and the trusted host names property is not set, the TAI
initialization fails.
- -ports
- Do not set this property if you are using the Tivoli Access Manager plug-in for Web servers.
This property is a comma-separated list of trusted host ports. Requests
that arrive from unlisted ports might not be trusted. If the checkViaHeader
property is not set, or is set to false, then this property
has no influence. If the checkViaHeader property is set to true, and the trusted host ports property is not set in WebSphere Application Server, the TAI initialization
fails.
- -viaDepth
- This property indicates a positive integer that specifies the
number of source hosts in the via header to check for trust. By default,
every host in the via header is checked, and if any host is not trusted,
trust cannot be established. The viaDepth property is used only when
some of the hosts in the via header have to be trusted. The setting
indicates the number of hosts that are required to be trusted.
As
an example, consider the following header:
If in via: HTTP/1.1
webseal1:7002, 1.1 webseal2:7001If the viaDepth property is not set,
is set to 2 or is set to 0, and a request with the previous via header
is received then both webseal1:7002 and webseal2:7001 need to be trusted.
The following configuration then applies:
com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2
If in com.ibm.websphere.security.webseal.ports
= 7002,7001If the viaDepth property is set to 1, and the previous
request is received, then only the last host in the via header needs
to be trusted. The following configuration then applies:
com.ibm.websphere.security.webseal.hostnames = webseal2
com.ibm.websphere.security.webseal.ports = 7001
The viaDepth property is set to 0 by default,
which means that all of the hosts in the via header are checked for
trust.
- -ssoPwdExpiry
- This property can be used to tell the TAI to ignore proxies as
trusted hosts. If set to true, the comments field of the hosts entry
in the via header is checked to determine if a host is a proxy. Remember
that not all proxies insert comments in the via header indicating
that they are proxies. The default value of the ignoreProxy property
is false. If the checkViaHeader property is set to false,
then the ignoreProxy property has no influence in establishing trust
- -viaDepth
- This property indicates a positive integer that specifies the
number of source hosts in the via header to check for trust. By default,
every host in the via header is checked, and if any host is not trusted,
trust cannot be established. The viaDepth property is used only when
some of the hosts in the via header have to be trusted. The setting
indicates the number of hosts that are required to be trusted.
- -ssoPwdExpiry
- After trust is established for a request, the single sign-on user
password is cached, eliminating the need to have the TAI re-authenticate
the single sign-on user with Tivoli Access Manager for every request. You can modify the cache timeout
period by setting the single sign-on password expiry property to the
required time in seconds. If the password expiry property is set to
0, the cached password never expires. The default value for the password
expiry property is 600.
- -ignoreProxy
- This property can be used to tell the TAI to ignore proxies as
trusted hosts. If set to true, the comments field of the
hosts entry in the via header is checked to determine if a host is
a proxy. Remember that not all proxies insert comments in the via
header indicating that they are proxies. The default value of the
ignoreProxy property is false. If the checkViaHeader property
is set to false, then the ignoreProxy property has no influence in
establishing trust.
- -configURL
- For the TAI to establish trust for a request, it requires that
the SvrSslCfg task be run for the Java Virtual Machine on the Application Server and result in
the creation of a properties file. If this properties file is not
at the default URL, which is file://java.home/PdPerm.properties, the correct URL of the properties file must be set in the configuration
URL property. If this property is not set, and the SvrSslCfg-generated
properties file is not in the default location, the TAI initialization
fails. The default value for the config URL property is file://${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties.
Examples
Interactive
mode example usage:
unconfigureTAMTAIProperties
The unconfigureTAMTAIProperties command removes the custom properties
from the security configuration for the embedded Tivoli Access Manager Trust Association Interceptor
with classname TAMTrustAsociationInterceptorPlus.
Target object
None.
Required parameters
None.
Optional parameters
None.
Examples
Interactive mode example
usage:
configureTAMTAIPdjrte
The configureTAMTAIPdjrte
command performs the tasks necessary to fully configure the Tivoli Access Manager Runtime
for Java. The specific tasks
run are PDJrteCfg and SvrSslCfg.
Target
object
None.
Required parameters
- -policySvr
- This property specifies the name of the Tivoli Access Manager policy server with which
the application server communicates. The server is specified by fully
qualified host name, the SSL port number, and the rank. The default
SSL port number is 7135. For example: myauth.mycompany.com:7135:1.
- -authSvrs
- This property specifies the name of the Tivoli Access Manager authorization server
with which the application server communicates. The server is specified
by fully-qualified host name, the SSL port number, and the rank. The
default SSL port number is 7136. For example: myauth.mycompany.com:7136:1. You can specify multiple servers if the entries are separated by
a comma (,).
- -adminPasswd
- This property specifies the password of the Tivoli Access Manager administrator user that
is associated with the -adminUid parameter. The password restrictions
depend upon the password policy for your Tivoli Access Manager configuration.
Optional parameters
- -adminUid
- This property specifies the Tivoli Access Manager administrator name. If this option is
not specified, sec_master is the default. A valid administrative
ID is an alphanumeric, case-sensitive string. String values are expected
to be characters that are part of the local code set. You cannot use
a space in the administrative ID.
For example, for U.S. English.
the valid characters are the letters a-Z, the numbers 0-9, a period
(.), an underscore (_), a plus sign (+), a hyphen (-), an at sign
(@), an ampersand (&), and an asterisk (*). The minimum and maximum
lengths of the administrative ID, if there are limits, are imposed
by the underlying registry.
- -secDomain
- This property specifies the Tivoli Access Manager domain name to which the administrator
is authenticated. This domain must exist and an administrator ID and
password must be valid for this domain. The application server is
specified in this domain.
If this property is not specified, the
default value is Default. The local domain value is retrieved
from the configuration file.
A valid domain name is an alphanumeric,
case-sensitive string. String values are expected to be characters
that are part of the local code set. You cannot use a space in the
domain name.
For example, for U.S. English, the valid characters
for domain names are the letters a-Z, the numbers 0-9, a period (
. ), an underscore (_), a plus sign (+), a hyphen (-), an at sign
(@), an ampersand (&), and an asterisk (*). The minimum and maximum
lengths of the domain name, if there are limits, are imposed by the
underlying registry.
- -defer
- This property indicates whether this task should be run immediately
or deferred until the startup of the WebSphere Application Server. The default
value is no.
Examples
Interactive
mode example usage:
unconfigureTAMTAIPdjrte
The unconfigureTAMTAIPdjrte
command performs the tasks necessary to unconfigure the Tivoli Access Manager Runtime for Java. The specific tasks run are PDJrteCfg and
SvrSslCfg.
Target object
None.
Required parameters
- -adminPasswd
- This property specifies the password of the Tivoli Access Manager administrator user that
is associated with the -adminUid parameter. The password restrictions
depend upon the password policy for your Tivoli Access Manager configuration.
Optional parameters
- -adminUid
- This property specifies the Tivoli Access Manager administrator name. If this option is
not specified, sec_master is the default. A valid administrative
ID is an alphanumeric, case-sensitive string. String values are expected
to be characters that are part of the local code set. You cannot use
a space in the administrative ID.
- -force
- This property indicates whether or not this task should stop when
an error is encountered. The default value is no.
- -defer
- This property indicates whether this task should be run immediately
or deferred until the startup of the WebSphere Application Server. The default
value is no.
Examples
Interactive
mode example usage:
configureTAMTAI
newfeat
The configureTAMTAI
command configures the embedded Tivoli Access Manager trust association interceptor (TAI) with
classname TAMTrustAsociationInterceptorPlus.
Target object
None.
Required parameters
- -policySvr
- This property specifies the name of the Tivoli Access Manager policy server with which
the application server communicates. The server is specified by a
fully-qualified host name, the SSL port number, and the rank. The
default SSL port number is 7135. For example: myauth.mycompany.com:7135:1.
- -authSvrs
- This property specifies the name of the Tivoli Access Manager authorization server
with which the application server communicates. The server is specified
by a fully-qualified host name, the SSL port number, and the rank.
The default SSL port number is 7136. For example: myauth.mycompany.com:7136:1. You can specify multiple servers if the entries are separated by
a comma (,).
- -adminPasswd
- This property specifies the password of the Tivoli Access Manager administrator user that
is associated with the -adminUid parameter. The password restrictions
depend upon the password policy for your Tivoli Access Manager configuration.
- -loginId
- The WebSEAL trusted user as created in "Creating a trusted user
account in Tivoli Access
Manager". See the Configuring single sign-on using trust association
interceptor ++ article for more information. The format of the username
is the short name representation.
Optional parameters
- -adminUid
- This property specifies the Tivoli Access Manager administrator name. If this option is
not specified, sec_master is the default. A valid administrative
ID is an alphanumeric, case-sensitive string. String values are expected
to be characters that are part of the local code set. You cannot use
a space in the administrative ID.
For example, for U.S. English,
the valid characters are the letters a-Z, the numbers 0-9, a period
(.), an underscore (_), a plus sign (+), a hyphen (-), an at sign
(@), an ampersand (&), and an asterisk (*). The minimum and maximum
lengths of the administrative ID, if there are limits, are imposed
by the underlying registry.
- -secDomain
- This property specifies the Tivoli Access Manager domain name to which the administrator
is authenticated. This domain must exist and an administrator ID and
password must be valid for this domain. The application server is
specified in this domain. If the application server is not specified,
the default value is Default. The local domain value is retrieved
from the configuration file.
A valid domain name is an alphanumeric,
case-sensitive string. String values are expected to be characters
that are part of the local code set. You cannot use a space in the
domain name.
For example, for U.S. English, the valid characters
for domain names are the letters a-Z, the numbers 0-9, a period (
. ), an underscore (_), a plus sign (+), a hyphen (-), an at sign
(@), an ampersand (&), and an asterisk (*). The minimum and maximum
lengths of the domain name, if there are limits, are imposed by the
underlying registry.
- -checkViaHeader
- You can configure TAI so that the via header can be ignored when
validating trust for a request. Set this property to false if none of the hosts in the via header need to be trusted. When
set to false, you do not need to set the trusted host names and host
ports properties. The only mandatory property to check when the via
header is false is com.ibm.websphere.security.webseal.loginId. The
default value of the check via header property is false.
When using Tivoli Access
Manager plug-in for Web servers, set this property to false.
Note: The via header is part of the standard HTTP header that records the
server names that the request passed through.
- -id
- This property specifies a comma-separated list of headers that
exists in the request. If all of the configured headers do not exist
in the request, trust cannot be established. The default value for
the ID property is iv-creds. Any other values set in WebSphere Application Server
are added to the list along with iv-creds, separated by commas.
- -hostnames
- Do not set this property if you are using the Tivoli Access Manager plug-in for Web servers.
This property specifies the host names (case-sensitive) that are both
trusted and expected in the request header. Requests arriving from
unlisted hosts might not be trusted. If the checkViaHeader property
is not set, or is set to false, then the trusted host names
property has no influence. If the checkViaHeader property is set to true, and the trusted host names property is not set, the TAI
initialization fails.
- -ports
- Do not set this property if you are using the Tivoli Access Manager plug-in for Web servers.
This property is a comma-separated list of trusted host ports. Requests
that arrive from unlisted ports might not be trusted. If the checkViaHeader
property is not set, or is set to false, then this property
has no influence. If the checkViaHeader property is set to true, and the trusted host ports property is not set in WebSphere Application Server, the TAI initialization
fails.
- -viaDepth
- This property indicates a positive integer that specifies the
number of source hosts in the via header to check for trust. By default,
every host in the via header is checked, and if any host is not trusted,
trust cannot be established. The viaDepth property is used when only
some of the hosts in the via header have to be trusted. The setting
indicates the number of hosts that are required to be trusted.
For
example, consider the following header:
If in via: HTTP/1.1
webseal1:7002, 1.1 webseal2:7001If the viaDepth property is not set,
is set to 2 or is set to 0, and a request with the previous via header
is received then both webseal1:7002 and webseal2:7001 need to be trusted.
The following configuration then applies:
com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2
If in com.ibm.websphere.security.webseal.ports
= 7002,7001If the viaDepth property is set to 1, and the previous
request is received, then only the last host in the via header needs
to be trusted. The following configuration then applies:
com.ibm.websphere.security.webseal.hostnames = webseal2
com.ibm.websphere.security.webseal.ports = 7001
The viaDepth property is set to 0 by default,
which means that all of the hosts in the via header are checked for
trust.
- -ssoPwdExpiry
- After trust is established for a request, the single sign-on user
password is cached, eliminating the need to have the TAI re-authenticate
the single sign-on user with Tivoli Access Manager for every request. You can modify the cache timeout
period by setting the single sign-on password expiry property to the
required time in seconds. If the password expiry property is set to
0, the cached password never expires. The default value for the password
expiry property is 600.
- -ignoreProxy
- This property can be used to tell the TAI to ignore proxies as
trusted hosts. If set to true the comments field of the hosts
entry in the via header is checked to determine if a host is a proxy.
Remember that not all proxies insert comments in the via header indicating
that they are proxies. The default value of the ignoreProxy property
is false. If the checkViaHeader property is set to false,
then the ignoreProxy property has no influence in establishing trust.
- -configURL
- For the TAI to establish trust for a request, it requires that
the SvrSslCfg task be run for the Java Virtual Machine on the Application Server and result in
the creation of a properties file. If this properties file is not
at the default URL, which is file://java.home/PdPerm.properties, the
correct URL of the properties file must be set in the configuration
URL property. If this property is not set, and the SvrSslCfg-generated
properties file is not in the default location, the TAI initialization
fails. The default value for the config URL property is file://${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties.
- -defer
- This property indicates whether the Tivoli Access Manager configuration portion
of this task should be run immediately or deferred until the startup
of the WebSphere Application
Server. The default value is no.
Note: The TAI properties
are updated immediately regardless of this setting.
Examples
Interactive
mode example usage:
unconfigureTAMTAI
newfeat
The unconfigureTAMTAI
command unconfigures the embedded Tivoli Access Manager Trust Association Interceptor with classname
TAMTrustAsociationInterceptorPlus. This task does not include removing
any custom properties from the security configuration.
Target object
None.
Required parameters
- -adminPasswd
- Specifies the password of the Tivoli Access Manager administrator user that is associated
with the -adminUid parameter. The password restrictions depend upon
the password policy for your Tivoli Access Manager configuration.
Optional parameters
- -adminUid
- Specifies the Tivoli Access
Manager administrator name. If this option is not specified, sec_master is the default. A valid administrative ID is an alphanumeric, case-sensitive
string. String values are expected to be characters that are part
of the local code set. You cannot use a space in the administrative
ID.
For example, for U.S. English the valid characters are the letters
a-Z, the numbers 0-9, a period (.), an underscore (_), a plus sign
(+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk
(*). The minimum and maximum lengths of the administrative ID, if
there are limits, are imposed by the underlying registry.
- -force
- Indicates whether or not this task should stop when an error is
encountered. The default value is no.
- -defer
- Indicates whether this task should be run immediately or deferred
until the startup of the WebSphere Application Server. The default value is no.
Examples
Interactive
mode example usage:
configureTAMTAIProperties
newfeat
The
configureTAMTAIProperties command adds the custom properties to the
security configuration for the embedded Tivoli Access Manager Trust Association Interceptor
with classname TAMTrustAsociationInterceptorPlus.
Target object
None.
Required parameters
- -loginId
- The WebSEAL trusted user is created as discussed in "Creating
a trusted user account in Tivoli Access Manager". See the Configuring single sign-on using trust
association interceptor ++ article for more information. The format
of the username is the short name representation.
Optional parameters
- -checkViaHeader
- You can configure TAI so that the via header can be ignored when
validating trust for a request. Set this property to false if none
of the hosts in the via header need to be trusted. When set to false you do not need to set the trusted host names and host
ports properties. The only mandatory property to check when via header
is false is com.ibm.websphere.security.webseal.loginId. The default
value of the check via header property is false. When using Tivoli Access Manager plug-in
for Web servers, set this property to false.
Note: The via header is
part of the standard HTTP header that records the server names that
the request passed through.
- -id
- This property indicates a comma-separated list of headers that
exists in the request. If all of the configured headers do not exist
in the request, trust cannot be established. The default value for
the ID property is iv-creds. Any other values set in WebSphere Application Server
are added to the list along with iv-creds, separated by commas.
- -hostnames
- Do not set this property if using Tivoli Access Manager plug-in for Web Servers.
The property specifies the host names (case-sensitive) that are both
trusted and expected in the request header. Requests arriving from
unlisted hosts might not be trusted. If the checkViaHeader property
is not set, or is set to false, then the trusted host names
property has no influence. If the checkViaHeader property is set to true, and the trusted host names property is not set, the TAI
initialization fails.
- -ports
- Do not set this property if you are using the Tivoli Access Manager plug-in for Web servers.
This property is a comma-separated list of trusted host ports. Requests
that arrive from unlisted ports might not be trusted. If the checkViaHeader
property is not set, or is set to false, then this property
has no influence. If the checkViaHeader property is set to true, and the trusted host ports property is not set in WebSphere Application Server, the TAI initialization
fails.
- -viaDepth
- This property indicates a positive integer that specifies the
number of source hosts in the via header to check for trust. By default,
every host in the via header is checked, and if any host is not trusted,
trust cannot be established. The viaDepth property is used only when
some of the hosts in the via header have to be trusted. The setting
indicates the number of hosts that are required to be trusted.
As
an example, consider the following header:
If in via: HTTP/1.1
webseal1:7002, 1.1 webseal2:7001If the viaDepth property is not set,
is set to 2 or is set to 0, and a request with the previous via header
is received then both webseal1:7002 and webseal2:7001 need to be trusted.
The following configuration then applies:
com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2
If in com.ibm.websphere.security.webseal.ports
= 7002,7001If the viaDepth property is set to 1, and the previous
request is received, then only the last host in the via header needs
to be trusted. The following configuration then applies:
com.ibm.websphere.security.webseal.hostnames = webseal2
com.ibm.websphere.security.webseal.ports = 7001
The viaDepth property is set to 0 by default,
which means that all of the hosts in the via header are checked for
trust.
- -ssoPwdExpiry
- This property can be used to tell the TAI to ignore proxies as
trusted hosts. If set to true, the comments field of the hosts entry
in the via header is checked to determine if a host is a proxy. Remember
that not all proxies insert comments in the via header indicating
that they are proxies. The default value of the ignoreProxy property
is false. If the checkViaHeader property is set to false,
then the ignoreProxy property has no influence in establishing trust
- -viaDepth
- This property indicates a positive integer that specifies the
number of source hosts in the via header to check for trust. By default,
every host in the via header is checked, and if any host is not trusted,
trust cannot be established. The viaDepth property is used only when
some of the hosts in the via header have to be trusted. The setting
indicates the number of hosts that are required to be trusted.
- -ssoPwdExpiry
- After trust is established for a request, the single sign-on user
password is cached, eliminating the need to have the TAI re-authenticate
the single sign-on user with Tivoli Access Manager for every request. You can modify the cache timeout
period by setting the single sign-on password expiry property to the
required time in seconds. If the password expiry property is set to
0, the cached password never expires. The default value for the password
expiry property is 600.
- -ignoreProxy
- This property can be used to tell the TAI to ignore proxies as
trusted hosts. If set to true, the comments field of the
hosts entry in the via header is checked to determine if a host is
a proxy. Remember that not all proxies insert comments in the via
header indicating that they are proxies. The default value of the
ignoreProxy property is false. If the checkViaHeader property
is set to false, then the ignoreProxy property has no influence in
establishing trust.
- -configURL
- For the TAI to establish trust for a request, it requires that
the SvrSslCfg task be run for the Java Virtual Machine on the Application Server and result in
the creation of a properties file. If this properties file is not
at the default URL, which is file://java.home/PdPerm.properties, the correct URL of the properties file must be set in the configuration
URL property. If this property is not set, and the SvrSslCfg-generated
properties file is not in the default location, the TAI initialization
fails. The default value for the config URL property is file://${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties.
Examples
Interactive
mode example usage:
unconfigureTAMTAIProperties
newfeat
The unconfigureTAMTAIProperties command removes the custom properties
from the security configuration for the embedded Tivoli Access Manager Trust Association Interceptor
with classname TAMTrustAsociationInterceptorPlus.
Target object
None.
Required parameters
None.
Optional parameters
None.
Examples
Interactive mode example
usage:
configureTAMTAIPdjrte
newfeat
The configureTAMTAIPdjrte command performs the tasks necessary
to fully configure the Tivoli Access Manager Runtime for Java. The specific tasks run are PDJrteCfg and SvrSslCfg.
Target object
None.
Required parameters
- -policySvr
- This property specifies the name of the Tivoli Access Manager policy server with which
the application server communicates. The server is specified by fully
qualified host name, the SSL port number, and the rank. The default
SSL port number is 7135. For example: myauth.mycompany.com:7135:1.
- -authSvrs
- This property specifies the name of the Tivoli Access Manager authorization server
with which the application server communicates. The server is specified
by fully-qualified host name, the SSL port number, and the rank. The
default SSL port number is 7136. For example: myauth.mycompany.com:7136:1. You can specify multiple servers if the entries are separated by
a comma (,).
- -adminPasswd
- This property specifies the password of the Tivoli Access Manager administrator user that
is associated with the -adminUid parameter. The password restrictions
depend upon the password policy for your Tivoli Access Manager configuration.
Optional parameters
- -adminUid
- This property specifies the Tivoli Access Manager administrator name. If this option is
not specified, sec_master is the default. A valid administrative
ID is an alphanumeric, case-sensitive string. String values are expected
to be characters that are part of the local code set. You cannot use
a space in the administrative ID.
For example, for U.S. English.
the valid characters are the letters a-Z, the numbers 0-9, a period
(.), an underscore (_), a plus sign (+), a hyphen (-), an at sign
(@), an ampersand (&), and an asterisk (*). The minimum and maximum
lengths of the administrative ID, if there are limits, are imposed
by the underlying registry.
- -secDomain
- This property specifies the Tivoli Access Manager domain name to which the administrator
is authenticated. This domain must exist and an administrator ID and
password must be valid for this domain. The application server is
specified in this domain.
If this property is not specified, the
default value is Default. The local domain value is retrieved
from the configuration file.
A valid domain name is an alphanumeric,
case-sensitive string. String values are expected to be characters
that are part of the local code set. You cannot use a space in the
domain name.
For example, for U.S. English, the valid characters
for domain names are the letters a-Z, the numbers 0-9, a period (
. ), an underscore (_), a plus sign (+), a hyphen (-), an at sign
(@), an ampersand (&), and an asterisk (*). The minimum and maximum
lengths of the domain name, if there are limits, are imposed by the
underlying registry.
- -defer
- This property indicates whether this task should be run immediately
or deferred until the startup of the WebSphere Application Server. The default
value is no.
Examples
Interactive
mode example usage:
unconfigureTAMTAIPdjrte
newfeat
The unconfigureTAMTAIPdjrte command performs the tasks necessary
to unconfigure the Tivoli Access Manager Runtime for Java. The specific tasks run are PDJrteCfg and SvrSslCfg.
Target object
None.
Required parameters
- -adminPasswd
- This property specifies the password of the Tivoli Access Manager administrator user that
is associated with the -adminUid parameter. The password restrictions
depend upon the password policy for your Tivoli Access Manager configuration.
Optional parameters
- -adminUid
- This property specifies the Tivoli Access Manager administrator name. If this option is
not specified, sec_master is the default. A valid administrative
ID is an alphanumeric, case-sensitive string. String values are expected
to be characters that are part of the local code set. You cannot use
a space in the administrative ID.
- -force
- This property indicates whether or not this task should stop when
an error is encountered. The default value is no.
- -defer
- This property indicates whether this task should be run immediately
or deferred until the startup of the WebSphere Application Server. The default
value is no.
Examples
Interactive
mode example usage: