Migrating with Tivoli Access Manager for authentication enabled on multiple nodes

When Tivoli Access Manager security is configured for your existing environment and security is enabled for multiple nodes, you can migrate to WebSphere Application Server, Version 6.1.

Before you begin

Your profiles must be migrated using the tools in Using the migration tools to migrate product configurations.
Important: Do not restart the WebSphere Application Server Version 6.1 servers until after performing the following procedure. The migration tools omit some files that enable the server to start correctly.

About this task

After migrating your profiles additional steps are required when Tivoli Access Manager security is configured.

Procedure

  1. [AIX HP-UX Linux Solaris Windows] [z/OS] On the deployment manager (Host1), copy the following files from the existing directory to a comparable directory in Version 6.1:
    %WAS_HOME%\java\jre\PDPerm.properties
    %WAS_HOME%\java\jre\lib\security\PdPerm.ks
    %WAS_HOME%\java\jre\PolicyDirector\PDCA.ks
    %WAS_HOME%\java\jre\PolicyDirector\PD.properties
    %WAS_HOME%\java\jre\PolicyDirector\PDJLog.properties
  2. [AIX HP-UX Linux Solaris Windows] [z/OS] On the deployment manager, edit the PD.properties file and change the following configuration settings:
    pd-home=C\:\\Program
    Files\\WebSphere\\DeploymentManager\\java\\jre\\PolicyDirector
    pdvar-home=C\:\\Program
    Files\\WebSphere\\DeploymentManager\\java\\jre\\PolicyDirector
    java-home=C\:\\Program Files\\WebSphere\\DeploymentManager\\java\\jre
    Make the appropriate changes to point to your Tivoli Access Manager Policy Server, for example:
    pd-home=C\:\\Program
    Files\\IBM\\WebSphere\\AppServer\\java\\jre\\PolicyDirector
    pdvar-home=C\:\\Program
    Files\\IBM\\WebSphere\\AppServer\\java\\jre\\PolicyDirector
    java-home=C\:\\Program Files\\IBM\\WebSphere\\AppServer\\java\\jre
  3. [AIX HP-UX Linux Solaris Windows] [z/OS] On the deployment manager, edit the PdPerm.properties file, and change all path names to the correct path name. Change the following configuration settings:
    pdvar-home=C\:\\Program
    Files\\WebSphere\\AppServer\\java\\jre\\PolicyDirector
    baseGroup.PDJv1dugong-v2dugongMessageFileHandler.fileName=C\:\\Program
    Files\\WebSphere\\AppServer\\java\\jre\\PolicyDirector\\log/msg__v1dugong-v2dugong.log
    
    pdcert-url=file\:/c\:/progra~1/WebSphere/AppServer/java/jre/lib/security/PdPerm.ks
    
    baseGroup.PDJv1dugong-v2dugongTraceFileHandler.fileName=C\:\\Program
    Files\\WebSphere\\AppServer\\java\\jre\\PolicyDirector\\log/trace__v1dugong-v2dugong.log
    
    pd-home=C\:\\Program Files\\WebSphere\\AppServer\\java\\jre\\PolicyDirector
    
    java-home=C\:\\Program Files\\WebSphere\\AppServer\\java\\jre
  4. [iSeries] On the deployment manager (Host1), copy the profile_root1/PolicyDirector directory and it's contents to profile_root2/PolicyDirector. For this example:
    • profile_root1 is the root directory of the profile being migrated.
    • profile_root2 is the root directory of the version 6.1 profile.
    1. From an i5/OS command line, type STRQSH and press Enter.
    2. Type cp -R profile_root1/PolicyDirector profile_root2 and press Enter.
  5. [iSeries] On the deployment manager, copy the key file of the profile being migrated to the version 6.1 profile. The location of the key file is defined in profile_root1/PolicyDirector/PdPerm.properties. For this example:
    • The PdPerm.properties file contains pdcert-url=file\:/QIBM/UserData/WebAS51/ND/Dmgr01/etc/Dmgr01.kdb..
    • /QIBM/UserData/WebAS51/ND/Dmgr01 is the root directory of a Version 5.1 profile.
    1. From an i5/OS command line type STRQSH and press Enter.
    2. Type cp /QIBM/UserData/WebAS51/ND/Dmgr01/etc/Dmgr01.kdb profile_root2/etc/Dmgr01.kdb and press Enter.
  6. [iSeries] On the deployment manager, edit the property values in profile_root2/PolicyDirector/PdPerm.properties and in profile_root2/PolicyDirector/Pd.properties to replace occurrences of profile_root1 with profile_root2 in the file path name values.
  7. Start the WebSphere Application Server deployment manager.
  8. [AIX HP-UX Linux Solaris Windows] [z/OS] On Host2, copy the following missing files from the existing directory to a comparable directory in Version 6.1:
    %WAS_HOME%\java\jre\PDPerm.properties
    %WAS_HOME%\java\jre\lib\security\PdPerm.ks
    %WAS_HOME%\java\jre\PolicyDirector\PDCA.ks
  9. [AIX HP-UX Linux Solaris Windows] [z/OS] On Host2, edit the PD.properties file and change the following configuration setting:
    appsvr-plcysvrs=null\:0:\:1
    Make the appropriate changes to point to your Tivoli Access Manager Policy Server, for example:
    appsvr-plcysvrs=pdmgrd.test.gc.au.ibm.com\:7135\:1
  10. [AIX HP-UX Linux Solaris Windows] [z/OS] On Host2, edit the PD.properties file, and change all path names to the correct path name. Change the following configuration settings:
    pdvar-home=C\:\\Program
    Files\\IBM\\WebSphere\\AppServer\\java\\jre\\PolicyDirector
    baseGroup.PDJv1dugong-v2dugongMessageFileHandler.fileName=C\:\\Program
    Files\\IBM\\WebSphere\\AppServer\\java\\jre\\PolicyDirector\\log/msg__v1dugong-v2dugong.log
    
    pdcert-url=file\:/c\:/progra~1/IBM/WebSphere/AppServer/java/jre/lib/security/PdPerm.ks
    
    baseGroup.PDJv1dugong-v2dugongTraceFileHandler.fileName=C\:\\Program
    Files\\IBM\\WebSphere\\AppServer\\java\\jre\\PolicyDirector\\log/trace__v1dugong-v2dugong.log
    
    pd-home=C\:\\Program
    Files\\IBM\\WebSphere\\AppServer\\java\\jre\\PolicyDirector
    java-home=C\:\\Program Files\\IBM\\WebSphere\\AppServer\\java\\jre
    config_type=standalone
  11. [iSeries] On Host2, copy the profile_root1/PolicyDirector directory and it's contents to profile_root2/PolicyDirector. For this example:
    • profile_root1 is the root directory of the profile being migrated.
    • profile_root2 is the root directory of the version 6.1 profile.
    1. From an i5/OS command line, type STRQSH and press Enter.
    2. Type cp -R profile_root1/PolicyDirector profile_root2 and press Enter.
  12. [iSeries] On Host2, copy the key file of the profile being migrated to the version 6.1 profile. The location of the key file is defined in profile_root1/PolicyDirector/PdPerm.properties. For this example:
    • The PdPerm.properties file contains pdcert-url=file\:/QIBM/UserData/WebAS51/Base/AppSvr1/etc/AppSvr1.kdb.
    • /QIBM/UserData/WebAS51/Base/AppSvr1 is the root directory of a Version 5.1 profile.
    1. From an i5/OS command line type STRQSH and press Enter.
    2. Type cp /QIBM/UserData/WebAS51/Base/AppSvr1/etc/AppSvr1.kdb profile_root2/etc/AppSvr1.kdb and press Enter.
  13. [iSeries] On Host2, edit the property values in profile_root2/PolicyDirector/PdPerm.properties and in profile_root2/PolicyDirector/Pd.properties to replace occurrences of profile_root1 with profile_root2 in the file path name values.
  14. On Host2, start the node agent and its associated application server.
  15. [AIX HP-UX Linux Solaris Windows] [z/OS] Host3, copy the following missing files from the existing directory to a comparable directory in Version 6.1:
    %WAS_HOME%\java\jre\PDPerm.properties
    %WAS_HOME%\java\jre\lib\security\PdPerm.ks
    %WAS_HOME%\java\jre\PolicyDirector\PDCA.ks
  16. [AIX HP-UX Linux Solaris Windows] [z/OS] On Host3, edit the PD.properties file and change the following configuration setting:
    appsvr-plcysvrs=null\:0:\:1
    Make the appropriate changes to point to your Tivoli Access Manager Policy Server, for example:
    appsvr-plcysvrs=pdmgrd.test.gc.au.ibm.com\:7135\:1
  17. [AIX HP-UX Linux Solaris Windows] [z/OS] On Host3, edit the PdPerm.properties file, and change all path names to the correct path name. Change the following configuration settings:
    pdvar-home=C\:\\Program
    Files\\IBM\\WebSphere\\AppServer\\java\\jre\\PolicyDirector
    baseGroup.PDJv1dugong-v2dugongMessageFileHandler.fileName=C\:\\Program
    Files\\IBM\\WebSphere\\AppServer\\java\\jre\\PolicyDirector\\log/msg__v1dugong-v2dugong.log
    
    pdcert-url=file\:/c\:/progra~1/IBM/WebSphere/AppServer/java/jre/lib/security/PdPerm.ks
    
    baseGroup.PDJv1dugong-v2dugongTraceFileHandler.fileName=C\:\\Program
    Files\\IBM\\WebSphere\\AppServer\\java\\jre\\PolicyDirector\\log/trace__v1dugong-v2dugong.log
    
    pd-home=C\:\\Program
    Files\\IBM\\WebSphere\\AppServer\\java\\jre\\PolicyDirector
    java-home=C\:\\Program Files\\IBM\\WebSphere\\AppServer\\java\\jre
    config_type=standalone
  18. [iSeries] On Host3, copy the profile_root1/PolicyDirector directory and it's contents to profile_root2/PolicyDirector. For this example:
    • profile_root1 is the root directory of the profile being migrated.
    • profile_root2 is the root directory of the version 6.1 profile.
    1. From an i5/OS command line, type STRQSH and press Enter.
    2. Type cp -R profile_root1/PolicyDirector profile_root2 and press Enter.
  19. [iSeries] On Host3, copy the key file of the profile being migrated to the version 6.1 profile. The location of the key file is defined in profile_root1/PolicyDirector/PdPerm.properties. For this example:
    • The PdPerm.properties file contains pdcert-url=file\:/QIBM/UserData/WebAS51/Base/AppSvr1/etc/AppSvr1.kdb.
    • /QIBM/UserData/WebAS51/Base/AppSvr1 is the root directory of a Version 5.1 profile.
    1. From an i5/OS command line type STRQSH and press Enter.
    2. Type cp /QIBM/UserData/WebAS51/Base/AppSvr1/etc/AppSvr1.kdb profile_root2/etc/AppSvr1.kdb and press Enter.
  20. [iSeries] On Host3, edit the property values in profile_root2/PolicyDirector/PdPerm.properties and in profile_root2/PolicyDirector/Pd.properties to replace occurrences of profile_root1 with profile_root2 in the file path name values.
  21. On Host3, start the node agent and its associated application server.

What to do next

Also see the migration information with Tivoli Access Manager for authentication that is enabled on a single nodes with security enabled.



In this information ...


Related concepts

IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 1:23:07 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=tsec_migratemultinode
File name: tsec_migratemultinode.html