The migrateEAR utility migrates changes made to console users and groups in the admin-authz.xml and naming-authz.xml files into the Tivoli® Access Manager object space.
migrateEAR -j fully_qualified_filename -c pdPerm.properties_file_location -a Tivoli_Access_Manager_administrator_ID -p Tivoli_Access_Manager_administrator_password -w WebSphere_Application_Server_administrator_user_name -d user_registry_domain_suffix [-r root_objectspace_name] [-t ssl_timeout] [-z role_mapping_location]
This parameter is optional. When the parameter is not specified, you are prompted to supply it at run time.
file:/opt/IBM/WebSphere/AppServer/java/jre/PdPerm.properties
file:/usr/IBM/WebSphere/AppServer/java/jre/PdPerm.properties
file:/"C:/Program Files/IBM/WebSphere/AppServer/java/jre/PdPerm.properties”
file:profile_root/etc/pd/PdPerm.properties
Windows® platforms
require that the domain suffix is enclosed within quotes.
You can use the pdadmin user show command to display the distinguished name (DN) for a user.
file:/opt/IBM/WebSphere/AppServer/profiles/profile_name/config/cells /cell_name/admin-authz.xml
file:/usr/IBM/WebSphere/AppServer/profiles/profile_name/config/cells /cell_name/admin-authz.xml
“C:/Program Files/IBM/WebSphere/AppServer/profiles/profile_name/config/cells /cell_name/admin-authz.xml”
profile_root/config/cells/cell_name
When this parameter is not specified, the user is prompted to supply the password for the administrative user name.
The default value for the root object space is WebAppServer.
Set the Tivoli Access Manager root object space name by modifying the amwas.amjacc.template.properties file prior to configuring the Java Authorization Contract for Containers (JACC) provider for Tivoli Access Manager for the first time. Use this option if the default object space value is not used in the configuration of the Tivoli Access Manager JACC provider for Tivoli Access Manager.
Do not change the Tivoli Access Manager object space name after the Tivoli Access Manager JACC provider is configured.
The default is 60 minutes. The minimum value is 10 minutes. The maximum value cannot exceed the Tivoli Access Manager ssl-v3-timeout value. The default value for ssl-v3-timeout is 120 minutes.
If you are not familiar with the administration of this value, you can safely use the default value.
When the WebSphere Application Server administrative user does not already exist in the protected object space, it is created or imported. In this case, a random password is generated for the user and the account is set to not valid. Change this password to a known value and set the account to valid.
/WebAppServer/deployedResouces
/WebAppServer/deployedResouces/Roles
This utility migrates security policy information from deployment descriptors or enterprise archive files to Tivoli Access Manager for WebSphere Application Server. The script calls com.tivoli.pdwas.migrate.Migrate the Java class.
Before invoking the script you must run the setupCmdLine.bat or
the setupCmdLine.sh commands. These files can be found in the %WAS_HOME%/bin directory.
The script is dependent on finding the correct
environment variables for the location of prerequisite software.
To enable a new user access to the administrative group in WebSphere Application Server, it is recommended that the user be added to the pdwas-admin group after JACC has been enabled. You can enter the administrative primary ID (adminID) in the group. This is required when the serverID is not the same as the adminID.
pdadmin> group modify pdwas-admin add adminID