By default, the WebSphere Application Server deployment
manager is configured to prompt wsadmin and other clients for a user
ID and password. If you plan to use remote method invocation (RMI)
connections to connect to a deployment manager from clients running
within different z/OS images and want to use the authentication credentials
for the client without having to specify them, a personal certificate
must be defined for the administrator that is running the job.
Procedure
- Define a personal certificate for the administrator, and
connect this certificate to the administrator keyring.
The
following template can be used to construct the RACF statements to
create a personal certificate for the administrator and place it on
the administrator's keyring.
RACDCERT ID (zAdminUserid) GENCERT SUBJECTSDN(CN('zAdminUserid') O('IBM')
OU('zCellShortName')) WITHLABEL('zSAFProfilePrefix.zAdminUserid')
SIGNWITH(CERTAUTH LABEL('zSSLCaKeylabel')) SIZE(2048)
NOTAFTER(DATE(zCaAuthorityExpirationDate))
RACDCERT ID(zAdminUserid) CONNECT (LABEL('zSAFProfilePrefix.zAdminUserid')
RING(zDefaultSAFKeyringName) DEFAULT)
Replace each occurrence
of
zAdminUserid,
zCellShortName,
zSAFProfilePrefix,
zSSLCaKeylabel,
zCaAuthorityExpirationDate,
and
zDefaultSAFKeyringName in the template with the
corresponding values that were defined for the target deployment-manager
definition with the Profile Management Tool. If a SAF profile prefix
was not defined for the deployment manager, remove the period (.)
that follows each occurrence of
zSAFProfilePrefix.
For
more information on federating a node without specifying a user ID
and password, see Authentication protocol settings for a client configuration.
- Verify client authentication.
If global security
is enabled on the target Network Deployment cell, update the following
file in the configuration images for both the deployment manager and
the node to be federated to indicate that the client's credentials
are to be used for authentication (instead of specifying a user ID
and password):
${zConfigMountPoint}/${zWasServerDir}/profiles/default/properties/sas.client.props
Note
that this is an ASCII file.
The com.ibm.CORBA.loginSource=prompt property
in the sas.client.props file that resides in
each configuration image must be changed to com.ibm.CORBA.loginSource=none.
The
user that runs the node federation job (BBOWMNAN or BBOWADDN) must
have full administrative privileges for the target Network Deployment
cell (because the client's credentials are being used for authentication).
If the deployment manager resides in a different z/OS image from the
node to be federated, the following additional properties in the
sas.client.props file
for the node to be federated:
com.ibm.CSI.performTLClientAuthenticationRequired=false
com.ibm.CSI.performTLClientAuthenticationSupported=false
com.ibm.CSI.performTransportAssocSSLTLSSupported=false
must
be changed to:
com.ibm.CSI.performTLClientAuthenticationRequired=true
com.ibm.CSI.performTLClientAuthenticationSupported=true
com.ibm.CSI.performTransportAssocSSLTLSSupported=true