[z/OS]

Federating a node without specifying a user ID and password

By default, the WebSphere Application Server deployment manager is configured to prompt wsadmin and other clients for a user ID and password. If you plan to use remote method invocation (RMI) connections to connect to a deployment manager from clients running within different z/OS images and want to use the authentication credentials for the client without having to specify them, a personal certificate must be defined for the administrator that is running the job.

Procedure

  1. Define a personal certificate for the administrator, and connect this certificate to the administrator keyring.
    The following template can be used to construct the RACF statements to create a personal certificate for the administrator and place it on the administrator's keyring.
    RACDCERT ID (zAdminUserid) GENCERT SUBJECTSDN(CN('zAdminUserid') O('IBM') 
     OU('zCellShortName')) WITHLABEL('zSAFProfilePrefix.zAdminUserid')
     SIGNWITH(CERTAUTH LABEL('zSSLCaKeylabel')) SIZE(2048)
     NOTAFTER(DATE(zCaAuthorityExpirationDate))
       
    RACDCERT ID(zAdminUserid) CONNECT (LABEL('zSAFProfilePrefix.zAdminUserid')
     RING(zDefaultSAFKeyringName) DEFAULT) 
    Replace each occurrence of zAdminUserid, zCellShortName, zSAFProfilePrefix, zSSLCaKeylabel, zCaAuthorityExpirationDate, and zDefaultSAFKeyringName in the template with the corresponding values that were defined for the target deployment-manager definition with the Profile Management Tool. If a SAF profile prefix was not defined for the deployment manager, remove the period (.) that follows each occurrence of zSAFProfilePrefix.

    For more information on federating a node without specifying a user ID and password, see Authentication protocol settings for a client configuration.

  2. Verify client authentication.
    If global security is enabled on the target Network Deployment cell, update the following file in the configuration images for both the deployment manager and the node to be federated to indicate that the client's credentials are to be used for authentication (instead of specifying a user ID and password):
    ${zConfigMountPoint}/${zWasServerDir}/profiles/default/properties/sas.client.props
    Note that this is an ASCII file.

    The com.ibm.CORBA.loginSource=prompt property in the sas.client.props file that resides in each configuration image must be changed to com.ibm.CORBA.loginSource=none.

    The user that runs the node federation job (BBOWMNAN or BBOWADDN) must have full administrative privileges for the target Network Deployment cell (because the client's credentials are being used for authentication). If the deployment manager resides in a different z/OS image from the node to be federated, the following additional properties in the sas.client.props file for the node to be federated:
    com.ibm.CSI.performTLClientAuthenticationRequired=false
    com.ibm.CSI.performTLClientAuthenticationSupported=false
    com.ibm.CSI.performTransportAssocSSLTLSSupported=false
    must be changed to:
    com.ibm.CSI.performTLClientAuthenticationRequired=true
    com.ibm.CSI.performTLClientAuthenticationSupported=true
    com.ibm.CSI.performTransportAssocSSLTLSSupported=true
Task topic    

Terms and conditions for information centers | Feedback

Last updated: April 20, 2014 09:59 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-zos&topic=tins_fednode_noid
File name: tins_fednode_noid.html