Configuring security with scripting
The user Id and password needed for wsadmin to connect to a secured server can be supplied as command line options and in properties files. If used together, command line options take precedence over what is in the properties files. The properties files are located at Profile_root/properties .
Procedure
- The nature of the properties file updates required for
running in secure mode depend on whether you connect with a Remote
Method Invocation (RMI) connector, a JSR160RMI connector, an Inter-Process
Communications (IPC) or a SOAP connector:
- If you use a Remote Method Invocation (RMI) connector or a JSR160RMI
connector, set the following properties in the sas.client.props file
with the appropriate values:
Also, set the following property:com.ibm.CORBA.loginUserid= com.ibm.CORBA.loginPassword=
The default value for this property is prompt in the sas.client.props file. If you leave the default value, then a dialog box is displayed with a password prompt. If the script is running unattended, then the system stops.com.ibm.CORBA.loginSource=properties
- If you use a SOAP connector, set the following properties in the soap.client.props file
with the appropriate values:
com.ibm.SOAP.securityEnabled=true com.ibm.SOAP.loginUserid= com.ibm.SOAP.loginPassword=
Optionally, set the following property:
The default value for this property is prompt in the soap.client.props file. If you leave the default value, a dialog box is displayed with a password prompt. If the script is running unattended, then the system stops.com.ibm.SOAP.loginSource=none
- If you use an IPC connector, set the following properties in the ipc.client.props file
with the appropriate
values:
com.ibm.IPC.loginUserid= com.ibm.IPC.loginPassword=
Optionally, remove prompt from the following line:
The default value for this property is prompt in the ipc.client.props file. If you leave the default value, a dialog box appears with a password prompt. If the script is running unattended, it appears to hang.com.ibm.IPC.loginSource=prompt
- If you use a Remote Method Invocation (RMI) connector or a JSR160RMI
connector, set the following properties in the sas.client.props file
with the appropriate values:
- Specify user and password information. Choose
one of the following methods:
- Specify user name and password on a command line, using the -user and -password commands,
as the following examples demonstrate:
wsadmin -conntype JSR160RMI -port 2809 -user u1 -password secret1
wsadmin.sh -conntype JSR160RMI -port 2809 -user u1 -password secret1
- Specify a user name and password in the properties file for the type of connector you are using.
If you specify user and password information on a command line and in the sas.client.props file or the soap.client.props file, the command line information overrides the information in the props file.
The use of -password option may result in security exposure as the password information becomes visible to the system status program such as ps command which can be invoked by other user to display all the running processes. Do not use this option if security exposure is a concern. Instead, specify user and password information in the soap.client.props file for the SOAP connector, the sas.client.props file for the JSR160RMI connector or the Remote Method Invocation (RMI) connector, or the ipc.client.props file for the IPC connector. The soap.client.props, sas.client.props, and ipc.client.props files are located in the properties directory of your profile.
- Specify user name and password on a command line, using the -user and -password commands,
as the following examples demonstrate:
次主題
Enabling and disabling security using scripting
You can use scripting to enable or disable application security, global security, administrative security based on the LocalOS registry, and authentication mechanisms.Enabling and disabling Java 2 security using scripting
You can enable or disable Java 2 security with scripting and the wsadmin tool.WizardCommands command group for the AdminTask object
You can use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands and parameters in the WizardCommands group can be used to configure security using similar actions to the security wizard panels in the administrative console.Configuring multiple security domains using scripting
You can customize your security configuration at the cell, sever, or cluster level by configuring multiple security domains.Configuring the JACC provider for Tivoli Access Manager using the wsadmin utility
You can use the wsadmin utility to configure Tivoli® Access Manager security for WebSphere Application Server.Securing communications using the wsadmin tool
The application server provides several methods to secure communication between a server and a client. Use this topic to configure Secure Sockets Layer (SSL), keystores, certificate authorities, key sets and groups, and certificates.Enabling authentication in the file transfer service using scripting
The file transfer service provides role-based authentication. You can enable authentication in the file transfer service using scripting and the wsadmin tool.Propagating security policy of installed applications to a JACC provider using wsadmin scripting
It is possible that you have applications installed prior to enabling the Java Authorization Contract for Containers (JACC)-based authorization. You can start with default authorization and then move to an external provider-based authorization using JACC later.Configuring custom adapters for federated repositories using wsadmin
You can use the Jython or Jacl scripting language with the wsadmin tool to define custom adapters in the federated repositories configuration file.Configuring a federated repository or stand-alone LDAP registry using wsadmin
You can use the wsadmin tool to configure a federated repository or stand-alone LDAP registry.Disabling embedded Tivoli Access Manager client using wsadmin
Follow these steps to unconfigure the Java Authorization Contract for Containers (JACC) provider for Tivoli Access Manager.Configuring security auditing using scripting
Security auditing provides tracking and archiving of auditable events. This topic uses the wsadmin tool to enable and administer your security auditing configurations.SSLMigrationCommands command group for the AdminTask object
You can use the Jython or Jacl scripting languages to migrate key store configurations. Use the commands in the SSLMigrationCommands group to convert self-signed certificates to chained personal certificates and to enable writable key rings.IdMgrConfig command group for the AdminTask object
You can use the Jython or Jacl scripting languages to configure the virtual member manager with the wsadmin tool. The commands and parameters in the IdMgrConfig group can be used to create and manage your entity type configuration.IdMgrRepositoryConfig command group for the AdminTask object
You can use the Jython or Jacl scripting languages to configure security. The commands and parameters in the IdMgrRepositoryConfig group can be used to create and manage the virtual member manager and LDAP directory properties.IdMgrRealmConfig command group for the AdminTask object
You can use the Jython or Jacl scripting languages to configure federated repositories realms. The commands and parameters in the IdMgrRealmConfig group can be used to create and manage your realm configuration.IdMgrDataModel command group for the AdminTask object
You can use the Jython or Jacl scripting language to manage the federated repository schema using the wsadmin tool. Use the commands and parameters in the IdMgrDataModel group to manage the property extension repository. The commands are available in connected or local mode using the –conntype NONE option.IdMgrDBSetup command group for the AdminTask object
You can use the Jython or Jacl scripting language to manage the federated repository schema using the wsadmin tool. Use the deleteIdMgrPropertyExtensionEntityDatacommand and its parameters in the IdMgrDBSetup group to manage the property extension repository. The command is available in both connected and local mode using the –conntype NONE option.JaspiManagement command group for the AdminTask object
Use the commands and parameters in the JaspiManagement command group to manage the configuration of authentication providers.LTPACommandGroup command group for the AdminTask object
You can use the Jython or Jacl scripting languages to import and export LTPA keys.WIMManagementCommands command group for the AdminTask object
You can use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands and parameters in the WIMManagementCommands group can be used to create and manage groups, members, and users in the virtual member manager.DescriptivePropCommands command group for the AdminTask object
You can use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands and parameters in the DescriptivePropCommands group can be used to create, delete, and manage key manager setting in your configuration.ManagementScopeCommands command group for the AdminTask object
You can use the Jython or Jacl scripting languages to configure security with the wsadmin tool. Inbound and outbound management scopes represent opposing directions during the connection handshake process. The commands and parameters in the ManagementScopeCommands group can be used to create, delete, and list management scopes.AuthorizationGroupCommands command group for the AdminTask object
You can use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands and parameters in the AuthorizationGroupCommands group can be used to create and manage authorization groups.ChannelFrameworkManagement command group for the AdminTask object
You can use the Jython or Jacl scripting languages to configure security. The commands and parameters in the ChannelFrameworkManagement group can be used to create and manage transport channels and transport channel chains.FIPSCommands command group for the AdminTask object
You can use the Jython or Jacl scripting languages to configure Federal Information Processing Standards (FIPS) with the wsadmin tool.SpnegoTAICommands group for the AdminTask object (deprecated)
You can use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands and parameters in the SpnegoTAICommands group can be used to create and manage configurations that are used by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI).The Kerberos configuration file
The Kerberos configuration properties, krb5.ini or krb5.conf files, must be configured on every WebSphere Application Server instance in a cell in order to use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebSphere Application Server.SPNEGO web authentication configuration commands
Use wsadmin commands to configure, unconfigure, validate, or display Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) in the security configuration.SPNEGO web authentication filter commands
Use wsadmin commands to add, modify, delete, or show Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Web authentication filters in the security configuration.Kerberos authentication commands
Use wsadmin commands to create, modify or delete Kerberos as the authentication mechanism for WebSphere Application Server.LTPA_LDAPSecurityOn and LTPA_LDAPSecurityOff command usage
Use the examples in this topic to enable and disable LTPA/LDAP security, based on single sign-on using the LDAP user registry.


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=txml_security
檔名:txml_security.html