It is possible that you have applications installed prior
to enabling the Java Authorization Contract for
Containers (JACC)-based authorization. You can start with default
authorization and then move to an external provider-based authorization
using JACC later.
Before you begin
Best practice: Use the wsadmin tool to propagate
information to the JACC provider independent of the application installation
process, avoiding the need to reinstall applications. Also, during
application installation or modification you might have had problems
propagating the security policy information to the JACC provider.
For example, network problems might occur, the JACC provider might
not be available, and so on. For these cases, the security policy
of the previously installed applications does not exist in the JACC
provider to make the access decisions. One choice is to reinstall
the applications involved. However, you can avoid reinstalling by
using the wsadmin scripting tool. Use this tool to propagate information
to the JACC provider independent of the application installation process.
The tool eliminates the need for reinstalling the applications.
bprac
The
tool uses the SecurityAdmin MBean to propagate the policy information
in the deployment descriptor of any installed application to the JACC
provider. You can invoke this tool using wsadmin at the base application
server for base and deployment manager level for WebSphere® Application Server, Network Deployment. Note that the
SecurityAdmin MBean is available only when the server is running.
Use propagatePolicyToJACCProvider{-appNames
appNames} to propagate the policy information in the deployment
descriptor or annotations of the enterprise archive (EAR) files to
the JACC provider. If the RoleConfigurationFactory and the RoleConfiguration
interfaces are implemented by the JACC provider, the authorization
table information in the binding file of the EAR files is also propagated
to the provider. See the Interfaces that support JACC article for
more information about these interfaces.
The appNames
String contains the list of application names, delimited by a
colon (:), whose policy information must be stored in the provider.
If appNames is not present, the policy information of all the deployed
applications is propagated to the provider.
Also, be aware of
the following items:
- Before migrating applications to the Tivoli® Access
Manager JACC provider, create or import the users and groups that
are in the applications to Tivoli Access Manager.
- Depending on the application or the number of applications that
are propagated, you might have to increase the request time-out period
either in the soap.client.props file in the directory profile_root/properties (if
using SOAP) or in the sas.client.props file (if using RMI)
for the command to complete. You can set the request time-out value
to 0 to avoid the timeout problem, and change it back to the original
value after the command is run.
Procedure
- Configure your JACC provider in WebSphere Application Server.
See
the Authorizing access to J2EE resources using Tivoli Access
Manager article for more information.
- Restart the server.
- Enter the following commands:
wsadmin>$AdminTask propagatePolicyToJACCProvider {-appNames appNames}