com.tivoli.pd.jcfg.SvrSslCfg utility for Tivoli Access Manager single sign-on
The utility is used to configure and remove the configuration information associated with WebSphere® Application Server and the Tivoli® Access Manager server.
Purpose
The svrsslcfg
script creates a user account and server entries that represent your WebSphere Application Server profile in
the Tivoli Access Manager user registry. In addition,
a configuration file and a Java™ keystore
file, which securely stores a client certificate, are created in the
application server profile. This client certificate permits callers
to use Tivoli Access Manager authentication services.
You can also choose to remove the user and server entries from the
user registry and clean up the local configuration and keystore files.
The svrsslcfg script wraps the SvrSslCfg class
and provides support for multiple WebSphere Application
Server profiles. The use of multiple profiles allows you to create
multiple WebSphere Application Server environments
that are completely isolated from one another.
Run the svrsslcfg script first on the deployment manager and then on the other nodes in the cell.
![[IBM i]](../images/iseries.gif)
Steps
- Log on with a user profile and all object (*ALLOBJ) authority.
- On the CL command line, enter the Start Qshell (STRQSH) command.
- Change directories to the app_server_root/bin directory.
- Enter the svrsslcfg command with the options that you want. For example:
svrsslcfg -profileName myprofile -action config -admin_id sec_master -admin_pwd pwd123 -appsvr_id ibm9 -appsvr_pwd ibm9pwd -mode remote -port 8888 -policysvr ourserv.rochester.ibm.com:7135:1 -authzsvr ourserv.rochester.ibm.com:7136:1 -key_file profile_root/myprofile/etc/ibm9.kdb -cfg_action create
The previous example displays on multiple lines for illustrative purposes only.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
Syntax
java com.tivoli.pd.jcfg.SvrSslCfg -action {config | unconfig} -admin_id admin_user_ID -admin_pwd admin_password -appsvr_id application_server_name -appsvr_pwd application_server_password -mode{local|remote} -host host_name_of_application_server -policysvr policy_server_name:port:rank [,...] -authzsvr authorization_server_name:port:rank [,...] -cfg_file fully_qualified_name_of_configuration_file -domain Tivoli_Acccess_Manager_domain -key_file fully_qualified_name_of_keystore_file -cfg_action {create|replace}
![[IBM i]](../images/iseries.gif)
Syntax
The configuration syntax is:
svrsslcfg -action config [ -profileName profile_name ] -admin_id admin_user_id -admin_pwd admin_password -appsvr_id application_server_name -port port_number -mode { local | remote } -policysvr policy_server_name -authzsvr authorization_server_name -key_file fully_qualified_name_of_key_file -appsvr_pwd application_server_password -cfg_action { create | replace } [ -domain Tivoli_Access_Manager_domain ]
The unconfigure syntax is:
svrsslcfg -action unconfig [ -profileName profile_name ] -admin_id admin_user_id -admin_pwd admin_password -appsvr_id application_server_name -policysvr policy_server_name [ -domain Tivoli_Access_Manager_domain ]
You can enter the previous syntax as one continuous line.
Parameters
- -action {config | unconfig}
- Specifies the configuration action that is performed by the script.
The following options apply:
- -action config
- Configuring a server creates user and server information in the
user registry and creates local configuration and key store files
on the application server. Use the -action unconfig option
to reverse this operation.
If this action is specified, the following options are required: -admin_id, -admin_pwd, -appsvr_id, -port, -mode, -policysvr, -authzsvr, and -key_file.
- -action unconfig
- Reconfigures an application server to complete the following actions:
- Remove the user and server information from the user registry
- Delete the local key store file
- Remove information for this application from the configuration file without deleting the file
The reconfiguration operation fails only if the caller is unauthorized or the policy server cannot be contacted.
This action can succeed when a configuration file does not exist. When the configuration file does not exist, it is created and used as a temporary file to hold configuration information during the operation, and then the file is deleted completely.
If this action is specified, the following options are required: -admin_id, -admin_pwd, -appsvr_id, and -policysvr.
- -admin_id admin_user_ID
- Specifies the Tivoli Access Manager administrator
name. If this option is not specified, sec_master is
the default.
A valid administrative ID is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. You cannot use a space in the administrative ID.
For example, for U.S. English the valid characters are the letters a-Z, the numbers 0-9, a period (.), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the administrative ID, if there are limits, are imposed by the underlying registry.
- -admin_password admin_password
Specifies the password of the Tivoli Access Manager administrator user that is associated with the -admin_id parameter. The password restrictions depend upon the password policy for your Tivoli Access Manager configuration.
- -appsvr_id application_server_name
- Specifies the name of the application server. The name is combined with the host name to create unique names for Tivoli Access Manager objects created for your application. The following names are reserved for Tivoli Access Manager applications: ivacld, secmgrd, ivnet, and ivweb.
- -appsvr_pwd application_server_password
- Specifies the password of the application server. This option
is required. A password is created by the system and the configuration
file is updated with the password created by the system.
If this option is not specified, the server password will be read from standard input.
- -authzsvr authorization_server_name
- Specifies the name of the Tivoli Access Manager authorization server with which the application server communicates. The server is specified by fully qualified host name, the SSL port number, and the rank. The default SSL port number is 7136. For example: myauth.mycompany.com:7136:1. You can specify multiple servers if the entries are separated by a comma (,).
- -cfg_action {create | replace}
- Specifies the action to take when creating the configuration and
key files. Valid values are create or replace. Use the create option
to initially create the configuration and keystore files. Use the replace option
if these files already exist. If you use the create option
and the configuration or keystore files already exist, an exception
is created.Options are as follows:
- create
- Specifies to create the configuration and key store files during server configuration. Configuration fails if either of these files already exists.
- replace
- Specifies to replace the configuration and key store files during server configuration. Configuration deletes any existing files and replaces them with new ones.
-cfg_file fully_qualified_name_of_configuration_file
Specifies the configuration file path and name.
A file name should be an absolute file name (fully qualified file name) to be valid.
- -domain Tivoli_Access_Manager_domain
- Specifies the Tivoli Access Manager domain
name to which the administrator is authenticated. This domain must
exist and an the administrator ID and password must be valid for this
domain. The application server is specified in this domain.
If not specified, the local domain that was specified during Tivoli Access Manager runtime configuration will be used. The local domain value will be retrieved from the configuration file.
A valid domain name is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. You cannot use a space in the domain name.
For example, for U.S. English the valid characters for domain names are the letters a-Z, the numbers 0-9, a period ( . ), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the domain name, if there are limits, are imposed by the underlying registry.
-host host_name_of_application_server
Specifies the TCP host name used by the Tivoli Access Manager policy server to contact this server. This name is saved in the configuration file using the azn-app-host key.
The default is the local host name returned by the operating system. Valid values for host_name include any valid IP host name.
Examples:host = libra
host = libra.dallas.ibm.com- -key_file fully_qualified_name_of_keystore_file
- Specifies the directory that is to contain the key files for the
server. A valid directory name is determined by the operating system.
Use a fully qualified file name that contains the application server
certificate and key file.
Make sure that server user (for example, ivmgr) or all users have permission to access the .kdb file and the folder that contains the .kdb file.
This option is required.
- -mode server_mode
Specifies the mode in which the application operates. This value must be either local or remote.
Specifies the mode in which the application server processes requests. Only the remote mode is supported.
- -policysvr policy_server_name
Specifies the name of the policy server.
Specifies the names of servers that run the Tivoli Access Manager policy server (ivmgrd) with which the application server communicates. A server is specified by a fully qualified host name, the SSL port number, and the rank. The default SSL port number is 7135. For example: mypolicy.mycompany.com:7135:1. You can specify multiple servers if the entries are separated by a comma (,).
-port port_number
Specifies the TCP/IP communications port on which the application server listens for communications from the policy servers.
-profileName profile_name
Specifies the name of your WebSphere Application Server profile. If this option is not specified, the default server1 profile is used.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
Comments
After the successful configuration of a Tivoli Access Manager Java application server, SvrSslCfg creates a user account and server entries representing the Java application server in the Tivoli Access Manager user registry. In addition, SvrSslCfg creates a configuration file and a Java key store file, which securely stores a client certificate, locally on the application server. This client certificate permits callers to make authenticated use of Tivoli Access Manager services. Conversely, reconfiguration removes the user and server entries from the user registry and cleans up the local configuration and keystore files.
The contents of an existing configuration file can be modified by using the SvrSslCfg utility. The configuration file and the key store file must already exist when calling SvrSslCfg with all options other than -action config or -action unconfig.
The following options are parsed and processed into the configuration file, but are otherwise ignored in this version of Tivoli Access Manager:
server_name/host_name
Note that the pdadmin server list command displays the server name in a slightly different format:server_name-host_name
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
CLASSPATH=${WAS_HOME}/tivoli/tam/PD.jar:${WAS_CLASSPATH}
java \
-cp ${CLASSPATH} \
-Dpd.cfg.home= ${WAS_HOME}/java/jre \
-Dfile.encoding=ISO8859-1 \
-Xnoargsconversion \
com.tivoli.pd.jcfg.SvrSslCfg \
-action config \
-admin_id sec_master \
-admin_pwd $TAM_PASSWORD \
-appsvr_id $APPSVR_ID \
-policysvr ${TAM_HOST}:7135:1 \
-port 7135 \
-authzsvr ${TAM_HOST}:7136:1 \
-mode remote \
-cfg_file ${CFG_FILE} \
-key_file ${KEY_FILE} \
-cfg_action create