authorization java classes developer reference -...
TRANSCRIPT
IBM
Tivoli
Access
Manager
Authorization
Java
Classes
Developer
Reference
Version
5.1
SC32-1350-00
���
IBM
Tivoli
Access
Manager
Authorization
Java
Classes
Developer
Reference
Version
5.1
SC32-1350-00
���
Note:
Before
using
this
information
and
the
product
it
supports,
read
the
information
in
Appendix
C,
“Notices,”
on
page
39.
Limited
Edition
(November
2003)
This
edition
replaces
SC32-1141-01.
©
Copyright
International
Business
Machines
Corporation
2002,,
2003.
All
rights
reserved.
US
Government
Users
Restricted
Rights
–
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
Contents
Figures
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
Tables
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Who
should
read
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
What
this
book
contains
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Release
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Base
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Web
security
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Developer
references
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xi
Technical
supplements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xii
Related
publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xii
Accessing
publications
online
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xv
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xv
Contacting
software
support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xv
Conventions
used
in
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xvi
Typeface
conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xvi
Operating
system
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xvi
Chapter
1.
Introducing
the
authorization
API
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Authorization
API
components
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
Building
Java
applications
with
the
authorization
API
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
IBM
Tivoli
Access
Manager
software
requirements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
JRE
requirements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
Configuring
the
Java
runtime
component
to
a
particular
Java
runtime
environment
.
.
.
.
.
.
.
.
.
. 4
Security
requirements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 4
Deploying
a
Java
authorization
API
application
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
Chapter
2.
Understanding
security
in
IBM
Tivoli
Access
Manager
.
.
.
.
.
.
.
.
.
.
. 7
Using
Java
2
security
with
IBM
Tivoli
Access
Manager
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Java
Authentication
and
Authorization
Service
(JAAS)
model
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Authenticating
users
and
obtaining
credentials
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Authorizing
access
requests
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 10
Chapter
3.
Using
the
authorization
API
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
Configuring
a
Java
application
into
the
secure
domain
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 14
Configuring
an
application
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 15
Unconfiguring
an
application
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 16
Adding
a
policy
or
authorization
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 16
Removing
a
policy
or
authorization
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Changing
a
policy
or
authorization
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Replacing
a
certificate
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Setting
the
port
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Setting
the
database
directory
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Setting
the
database
refresh
interval
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
Setting
the
application
listening
mode
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
Configuring
the
Java
Authentication
and
Authorization
Service
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Creating
a
login
configuration
file
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Specify
the
login
file
location
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Developing
a
resource
manager
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
Making
authorization
decisions
outside
of
Java
2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
Obtaining
entitlements
for
a
specified
user
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
©
Copyright
IBM
Corp.
2002,,
2003
iii
Chapter
4.
Java
classes
overview
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
com.tivoli.mts.PDLoginModule
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
com.tivoli.mts.PDPrincipal
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
com.tivoli.mts.PDPermission
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
com.tivoli.pd.jutil.PDAttrs
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
com.tivoli.pd.jutil.PDAttrValue
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
com.tivoli.pd.jutil.PDAttrValueList
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
com.tivoli.pd.jutil.PDAttrValues
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 28
com.tivoli.pd.jutil.PDStatics
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 28
Chapter
5.
Upgrade
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
Appendix
A.
com.tivoli.pd.jcfg.SvrSslCfg
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 31
–action
config
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 34
–action
unconfig
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 34
–action
addsvr
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 34
–action
rmsvr
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
–action
chgsvr
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
–action
replcert
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
–action
setport
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
–action
setdbdir
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
–action
setdbref
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
–action
setdblisten
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
Appendix
B.
Deprecated
Java
authorization
classes
and
methods
.
.
.
.
.
.
.
.
.
. 37
Appendix
C.
Notices
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 39
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 40
Glossary
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 43
Index
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
iv
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Figures
1.
JAAS
login
configuration
file
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
2.
Resource
manager
task
example
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
3.
Example
showing
authorization
outside
of
Java
2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
4.
Using
the
PDPrincipal.getEntitlements
method
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
5.
Processing
protected
objects
returned
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 23
©
Copyright
IBM
Corp.
2002,,
2003
v
Tables
1.
Files
associated
with
the
Tivoli
Access
Manager
Java
runtime
and
ADK
components
.
.
.
.
.
.
.
.
. 2
2.
Sample
information
used
for
SvrSslCfg
examples
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 14
3.
Description
of
parameters
for
the
SvrSslCfg
configuration
action.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 32
4.
Deprecated
Java
Classes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 37
©
Copyright
IBM
Corp.
2002,,
2003
vii
Preface
This
reference
contains
information
about
how
to
use
Tivoli
Access
Manager
authorization
Java™
classes
and
methods.
This
document
describes
the
Java
implementation
of
the
Tivoli
Access
Manager
authorization
API.
See
the
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
for
information
regarding
the
C
implementation
of
these
APIs.
Who
should
read
this
book
This
reference
is
for
application
programmers
implementing
programs
in
the
Java
programming
language
that
require
the
use
of
the
authorization
functions
provided
with
the
IBM
Tivoli
Access
Manager
product.
Readers
should
be
familiar
with
the
following:
v
PC
and
UNIX®
operating
systems
v
Database
architecture
and
concepts
v
Security
management
v
Internet
protocols,
including
HTTP,
TCP/IP,
File
Transfer
Protocol
(FTP),
and
Telnet
v
The
user
registry
that
Tivoli
Access
Manager
is
configured
to
use
v
Lightweight
Directory
Access
Protocol
(LDAP)
and
directory
services,
if
used
by
your
user
registry
v
Authentication
and
authorization
v
Secure
Sockets
Layer
(SSL)
communications
What
this
book
contains
This
reference
contains
the
following
chapters
and
appendixes:
v
Chapter
1,
“Introducing
the
authorization
API,”
on
page
1
This
chapter
provides
an
overview
of
the
authorization
API
and
its
components.
v
Chapter
2,
“Understanding
security
in
IBM
Tivoli
Access
Manager,”
on
page
7
This
chapter
provides
an
overview
of
the
Java
classes
and
methods.
v
Chapter
3,
“Using
the
authorization
API,”
on
page
13
This
chapter
provides
information
on
configuring
the
authorization
API.
v
Chapter
4,
“Java
classes
overview,”
on
page
25
This
chapter
provides
an
overview
of
the
Java
classes
and
methods
provided
as
art
of
the
authorization
API.
v
Chapter
5,
“Upgrade
considerations,”
on
page
29
This
chapter
outlines
considerations
for
upgrading
Java
applications
from
a
previous
version
of
Tivoli
SecureWay®
Policy
Director
or
IBM
Tivoli
Access
Manager.
v
Appendix
A,
“com.tivoli.pd.jcfg.SvrSslCfg,”
on
page
31
This
appendix
describes
com.tivoli.pd.jcfg.SvrSslCfg.
This
class
is
used
to
configure
and
unconfigure
the
Tivoli
Access
Manager
Java
application.
v
Appendix
B,
“Deprecated
Java
authorization
classes
and
methods,”
on
page
37
©
Copyright
IBM
Corp.
2002,,
2003
ix
This
appendix
provides
a
list
of
the
Java
classes
and
methods
that
have
been
deprecated
in
this
version
of
Tivoli
Access
Manager.
v
Appendix
C,
“Notices,”
on
page
39
This
appendix
provides
copyright,
legal,
and
trademark
information.
Publications
Review
the
descriptions
of
the
Tivoli
Access
Manager
library,
the
prerequisite
publications,
and
the
related
publications
to
determine
which
publications
you
might
find
helpful.
After
you
determine
the
publications
you
need,
refer
to
the
instructions
for
accessing
publications
online.
Additional
information
about
the
IBM
Tivoli
Access
Manager
for
e-business
product
itself
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/
The
Tivoli
Access
Manager
library
is
organized
into
the
following
categories:
v
“Release
information”
v
“Base
information”
v
“Web
security
information”
v
“Developer
references”
on
page
xi
v
“Technical
supplements”
on
page
xii
Release
information
v
IBM
Tivoli
Access
Manager
for
e-business
Read
This
First
(GI11-4155-00)
Provides
information
for
installing
and
getting
started
using
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes
(GI11-4156-00)
Provides
late-breaking
information,
such
as
software
limitations,
workarounds,
and
documentation
updates.
Base
information
v
IBM
Tivoli
Access
Manager
Base
Installation
Guide
(SC32-1362-00)
Explains
how
to
install
and
configure
the
Tivoli
Access
Manager
base
software,
including
the
Web
Portal
Manager
interface.
This
book
is
a
subset
of
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
and
is
intended
for
use
with
other
Tivoli
Access
Manager
products,
such
as
IBM
Tivoli
Access
Manager
for
Business
Integration
and
IBM
Tivoli
Access
Manager
for
Operating
Systems.
v
IBM
Tivoli
Access
Manager
Base
Administration
Guide
(SC32-1360-00)
Describes
the
concepts
and
procedures
for
using
Tivoli
Access
Manager
services.
Provides
instructions
for
performing
tasks
from
the
Web
Portal
Manager
interface
and
by
using
the
pdadmin
command.
Web
security
information
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
(SC32-1361-00)
Provides
installation,
configuration,
and
removal
instructions
for
the
Tivoli
Access
Manager
base
software
as
well
as
the
Web
Security
components.
This
book
is
a
superset
of
IBM
Tivoli
Access
Manager
Base
Installation
Guide.
x
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
v
IBM
Tivoli
Access
Manager
Upgrade
Guide
(SC32-1369-00)
Explains
how
to
upgrade
from
Tivoli
SecureWay
Policy
Director
Version
3.8
or
previous
versions
of
Tivoli
Access
Manager
to
Tivoli
Access
Manager
Version
5.1.
v
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide
(SC32-1359-00)
Provides
background
material,
administrative
procedures,
and
technical
reference
information
for
using
WebSEAL
to
manage
the
resources
of
your
secure
Web
domain.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Application
Server
Integration
Guide
(SC32-1368-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
IBM
WebSphere®
Application
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Edge
Server
Integration
Guide
(SC32-1367-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
the
IBM
WebSphere
Edge
Server
application.
v
IBM
Tivoli
Access
Manager
for
e-business
Plug-in
for
Web
Servers
Integration
Guide
(SC32-1365-00)
Provides
installation
instructions,
administration
procedures,
and
technical
reference
information
for
securing
your
Web
domain
using
the
plug-in
for
Web
servers.
v
IBM
Tivoli
Access
Manager
for
e-business
BEA
WebLogic
Server
Integration
Guide
(SC32-1366-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
BEA
WebLogic
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
(SC32-1364-00)
Provides
an
overview
of
the
tasks
related
to
integrating
Tivoli
Access
Manager
and
Tivoli
Identity
Manager
and
explains
how
to
use
and
install
the
Provisioning
Fast
Start
collection.
Developer
references
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
C
API
Developer
Reference
(SC32-1355-00)
Provides
reference
material
that
describes
how
to
use
the
Tivoli
Access
Manager
authorization
C
API
and
the
Tivoli
Access
Manager
service
plug-in
interface
to
add
Tivoli
Access
Manager
security
to
applications.
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
Java
Classes
Developer
Reference
(SC32-1350-00)
Provides
reference
information
for
using
the
Java™
language
implementation
of
the
authorization
API
to
enable
an
application
to
use
Tivoli
Access
Manager
security.
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
(SC32-1357-00)
Provides
reference
information
about
using
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
This
document
describes
the
C
implementation
of
the
administration
API.
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
Java
Classes
Developer
Reference
(SC32-1356-00)
Preface
xi
Provides
reference
information
for
using
the
Java
language
implementation
of
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Developer
Reference
(SC32-1358-00)
Provides
administration
and
programming
information
for
the
cross-domain
authentication
service
(CDAS),
the
cross-domain
mapping
framework
(CDMF),
and
the
password
strength
module.
Technical
supplements
v
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
(SC32-1354-00)
Provides
information
about
the
command
line
utilities
and
scripts
provided
with
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
Error
Message
Reference
(SC32-1353-00)
Provides
explanations
and
recommended
actions
for
the
messages
produced
by
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide
(SC32-1352-00)
Provides
problem
determination
information
for
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Performance
Tuning
Guide
(SC32-1351-00)
Provides
performance
tuning
information
for
an
environment
consisting
of
Tivoli
Access
Manager
with
the
IBM
Tivoli
Directory
server
as
the
user
registry.
Related
publications
This
section
lists
publications
related
to
the
Tivoli
Access
Manager
library.
The
Tivoli
Software
Library
provides
a
variety
of
Tivoli
publications
such
as
white
papers,
datasheets,
demonstrations,
redbooks,
and
announcement
letters.
The
Tivoli
Software
Library
is
available
on
the
Web
at:
http://www.ibm.com/software/tivoli/library/
The
Tivoli
Software
Glossary
includes
definitions
for
many
of
the
technical
terms
related
to
Tivoli
software.
The
Tivoli
Software
Glossary
is
available,
in
English
only,
from
the
Glossary
link
on
the
left
side
of
the
Tivoli
Software
Library
Web
page
http://www.ibm.com/software/tivoli/library/
IBM
Global
Security
Kit
Tivoli
Access
Manager
provides
data
encryption
through
the
use
of
the
IBM
Global
Security
Kit
(GSKit)
Version
7.0.
GSKit
is
included
on
the
IBM
Tivoli
Access
Manager
Base
CD
for
your
particular
platform,
as
well
as
on
the
IBM
Tivoli
Access
Manager
Web
Security
CDs,
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CDs,
and
the
IBM
Tivoli
Access
Manager
Directory
Server
CDs.
The
GSKit
package
provides
the
iKeyman
key
management
utility,
gsk7ikm,
which
is
used
to
create
key
databases,
public-private
key
pairs,
and
certificate
requests.
The
following
document
is
available
on
the
Tivoli
Information
Center
Web
site
in
the
same
section
as
the
IBM
Tivoli
Access
Manager
product
documentation:
v
IBM
Global
Security
Kit
Secure
Sockets
Layer
and
iKeyman
User’s
Guide
(SC32-1363-00)
Provides
information
for
network
or
system
security
administrators
who
plan
to
enable
SSL
communication
in
their
Tivoli
Access
Manager
environment.
xii
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
IBM
Tivoli
Directory
Server
IBM
Tivoli
Directory
Server,
Version
5.2,
is
included
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
for
the
desired
operating
system.
Note:
IBM
Tivoli
Directory
Server
is
the
new
name
for
the
previously
released
software
known
as:
v
IBM
Directory
Server
(Version
4.1
and
Version
5.1)
v
IBM
SecureWay
Directory
Server
(Version
3.2.2)
IBM
Directory
Server
Version
4.1,
IBM
Directory
Server
Version
5.1,
and
IBM
Tivoli
Directory
Server
Version
5.2
are
all
supported
by
IBM
Tivoli
Access
Manager
Version
5.1.
Additional
information
about
IBM
Tivoli
Directory
Server
can
be
found
at:
http://www.ibm.com/software/network/directory/library/
IBM
DB2
Universal
Database
IBM
DB2®
Universal
Database™
Enterprise
Server
Edition,
Version
8.1
is
provided
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
and
is
installed
with
the
IBM
Tivoli
Directory
Server
software.
DB2
is
required
when
using
IBM
Tivoli
Directory
Server,
z/OS™,
or
OS/390®
LDAP
servers
as
the
user
registry
for
Tivoli
Access
Manager.
Additional
information
about
DB2
can
be
found
at:
http://www.ibm.com/software/data/db2/
IBM
WebSphere
Application
Server
IBM
WebSphere
Application
Server,
Advanced
Single
Server
Edition
5.0,
is
included
on
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CD
for
the
desired
operating
system.
WebSphere
Application
Server
enables
the
support
of
both
the
Web
Portal
Manager
interface,
which
is
used
to
administer
Tivoli
Access
Manager,
and
the
Web
Administration
Tool,
which
is
used
to
administer
IBM
Tivoli
Directory
Server.
IBM
WebSphere
Application
Server
Fix
Pack
2
is
also
required
by
Tivoli
Access
Manager
and
is
provided
on
the
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
CD.
Additional
information
about
IBM
WebSphere
Application
Server
can
be
found
at:
http://www.ibm.com/software/webservers/appserv/infocenter.html
IBM
Tivoli
Access
Manager
for
Business
Integration
IBM
Tivoli
Access
Manager
for
Business
Integration,
available
as
a
separately
orderable
product,
provides
a
security
solution
for
IBM
MQSeries®,
Version
5.2,
and
IBM
WebSphere®
MQ
for
Version
5.3
messages.
IBM
Tivoli
Access
Manager
for
Business
Integration
allows
WebSphere
MQSeries
applications
to
send
data
with
privacy
and
integrity
by
using
keys
associated
with
sending
and
receiving
applications.
Like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Operating
Systems,
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
Additional
information
about
IBM
Tivoli
Access
Manager
for
Business
Integration
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
Preface
xiii
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Business
Integration
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Administration
Guide
(SC23-4831-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Problem
Determination
Guide
(GC23-1328-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Release
Notes
(GI11-0957-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers,
available
as
part
of
IBM
Tivoli
Access
Manager
for
Business
Integration,
provides
a
security
solution
for
WebSphere
Business
Integration
Message
Broker,
Version
5.0
and
WebSphere
Business
Integration
Event
Broker,
Version
5.0.
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
operates
in
conjunction
with
Tivoli
Access
Manager
to
secure
JMS
publish/subscribe
applications
by
providing
password
and
credentials-based
authentication,
centrally-defined
authorization,
and
auditing
services.
Additional
information
about
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers,
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Administration
Guide
(SC32-1347-00)
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Release
Notes
(GI11-4154-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
Operating
Systems
IBM
Tivoli
Access
Manager
for
Operating
Systems,
available
as
a
separately
orderable
product,
provides
a
layer
of
authorization
policy
enforcement
on
UNIX
systems
in
addition
to
that
provided
by
the
native
operating
system.
IBM
Tivoli
Access
Manager
for
Operating
Systems,
like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
Additional
information
about
IBM
Tivoli
Access
Manager
for
Operating
Systems
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Operating
Systems
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Installation
Guide
(SC23-4829-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide
(SC23-4827-00)
xiv
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Problem
Determination
Guide
(SC23-4828-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Release
Notes
(GI11-0951-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Read
Me
First
(GI11-0949-00)
IBM
Tivoli
Identity
Manager
IBM
Tivoli
Identity
Manager
Version
4.5,
available
as
a
separately
orderable
product,
enables
you
to
centrally
manage
users
(such
as
user
IDs
and
passwords)
and
provisioning
(that
is
providing
or
revoking
access
to
applications,
resources,
or
operating
systems.)
Tivoli
Identity
Manager
can
be
integrated
with
Tivoli
Access
Manager
through
the
use
of
the
Tivoli
Access
Manager
Agent.
Contact
your
IBM
account
representative
for
more
information
about
purchasing
the
Agent.
Additional
information
about
IBM
Tivoli
Identity
Manager
can
be
found
at:
http://www.ibm.com/software/tivoli/products/identity-mgr/
Accessing
publications
online
The
publications
for
this
product
are
available
online
in
Portable
Document
Format
(PDF)
or
Hypertext
Markup
Language
(HTML)
format,
or
both
in
the
Tivoli
software
library:
http://www.ibm.com/software/tivoli/library
To
locate
product
publications
in
the
library,
click
the
Product
manuals
link
on
the
left
side
of
the
library
page.
Then,
locate
and
click
the
name
of
the
product
on
the
Tivoli
software
information
center
page.
Product
publications
include
release
notes,
installation
guides,
user’s
guides,
administrator’s
guides,
and
developer’s
references.
Note:
To
ensure
proper
printing
of
publications,
select
the
Fit
to
page
check
box
in
the
Adobe
Acrobat
window
(which
is
available
when
you
click
File
→
Print).
Accessibility
Accessibility
features
help
a
user
who
has
a
physical
disability,
such
as
restricted
mobility
or
limited
vision,
to
use
software
products
successfully.
With
this
product,
you
can
use
assistive
technologies
to
hear
and
navigate
the
interface.
You
also
can
use
the
keyboard
instead
of
the
mouse
to
operate
all
features
of
the
graphical
user
interface.
Contacting
software
support
Before
contacting
IBM
Tivoli
Software
Support
with
a
problem,
refer
to
the
IBM
Tivoli
Software
Support
site
by
clicking
the
Tivoli
support
link
at
the
following
Web
site:
http://www.ibm.com/software/support/
If
you
need
additional
help,
contact
software
support
by
using
the
methods
described
in
the
IBM
Software
Support
Guide
at
the
following
Web
site:
http://techsupport.services.ibm.com/guides/handbook.html
The
guide
provides
the
following
information:
v
Registration
and
eligibility
requirements
for
receiving
support
v
Telephone
numbers,
depending
on
the
country
in
which
you
are
located
Preface
xv
v
A
list
of
information
you
should
gather
before
contacting
customer
support
Conventions
used
in
this
book
This
reference
uses
several
conventions
for
special
terms
and
actions
and
for
operating
system-dependent
commands
and
paths.
Typeface
conventions
The
following
typeface
conventions
are
used
in
this
reference:
Bold
Lowercase
commands
or
mixed
case
commands
that
are
difficult
to
distinguish
from
surrounding
text,
keywords,
parameters,
options,
names
of
Java
classes,
and
objects
are
in
bold.
Italic
Variables,
titles
of
publications,
and
special
words
or
phrases
that
are
emphasized
are
in
italic.
Monospace
Code
examples,
command
lines,
screen
output,
file
and
directory
names
that
are
difficult
to
distinguish
from
surrounding
text,
system
messages,
text
that
the
user
must
type,
and
values
for
arguments
or
command
options
are
in
monospace.
Operating
system
differences
This
book
uses
the
UNIX
convention
for
specifying
environment
variables
and
for
directory
notation.
When
using
the
Windows
command
line,
replace
$variable
with
%variable%
for
environment
variables
and
replace
each
forward
slash
(/)
with
a
backslash
(\)
in
directory
paths.
If
you
are
using
the
bash
shell
on
a
Windows
system,
you
can
use
the
UNIX
conventions.
xvi
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Chapter
1.
Introducing
the
authorization
API
The
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
Java
runtime
component
includes
the
Java
language
version
of
a
subset
of
the
Tivoli
Access
Manager
authorization
API.
The
authorization
API
consists
of
a
set
of
classes
and
methods
that
provide
Java
applications
with
the
ability
to
interact
with
Tivoli
Access
Manager
to
make
authentication
and
authorization
decisions.
Application
developers
can
use
the
Javadoc
information
provided
with
the
Tivoli
Access
Manager
application
developer
kit
(ADK)
along
with
this
book
and
other
Java
reference
materials,
to
add
Tivoli
Access
Manager
authorization
and
security
services
to
new
or
existing
Java
applications.
Application
developers
updating
an
existing
Tivoli
Access
Manager
application
should
check
Appendix
B,
“Deprecated
Java
authorization
classes
and
methods,”
on
page
37
before
making
changes.
Note:
If
you
are
familiar
with
the
authorization
API
Java
classes
provided
in
Tivoli
SecureWay
Policy
Director
Version
3.8,
see
Chapter
5,
“Upgrade
considerations,”
on
page
29
for
important
information.
This
chapter
contains
the
following
topics:
v
“Authorization
API
components”
on
page
2
v
“Building
Java
applications
with
the
authorization
API”
on
page
3
v
“Deploying
a
Java
authorization
API
application”
on
page
5
©
Copyright
IBM
Corp.
2002,,
2003
1
Authorization
API
components
The
authorization
API
Java
classes
are
installed
as
part
of
the
Tivoli
Access
Manager
Java
runtime
component.
These
classes
communicate
directly
with
the
Tivoli
Access
Manager
authorization
server
by
establishing
an
authenticated,
Secure
Sockets
Layer
(SSL)
session
with
the
authorization
server
process.
The
authorization
server
services
these
requests
in
the
same
manner
that
it
services
requests
from
the
authorization
C
API.
Table
1
lists
the
files
related
to
the
authorization
API
that
are
installed
as
part
of
the
Tivoli
Access
Manager
Java
runtime
component.
The
Javadoc
information,
even
though
it
is
installed
as
part
of
the
Tivoli
Access
Manager
ADK
component,
is
listed
in
the
table
for
completeness.
Table
1.
Files
associated
with
the
Tivoli
Access
Manager
Java
runtime
and
ADK
components
Directory
File
File
Description
JAVA_HOME/lib/ext
PD.jar
The
Java
Archive
(JAR)
file
containing
the
classes
and
methods
associated
with
both
the
authorization
API
and
the
administration
API.
ibmjsse.jar
The
JAR
file
encapsulating
the
Java
Secure
Socket
Extension
(JSSE)
support
which
provides
a
Java
implementation
of
SSL.
ibmjcefw.jar
ibmjceprovider.jar
local_policy.jar
US_export_policy.jar
The
JAR
files
comprising
part
of
the
Java
Cryptography
Extension
(JCE).
ibmpkcs.jar
The
JAR
file
containing
the
Public
Key
Cryptography
Standard
(PKCS)
support.
jaas.jar
The
JAR
file
encapsulating
the
Java
Authentication
and
Authorization
Service
(JAAS).
AM_BASE/nls/javadocs
/pdjrte
index.html
(and
many
others)
Javadoc
HTML
documentation
for
the
Java
classes
and
methods
provided
with
the
Tivoli
Access
Manager
Java
runtime
component.
Note:
The
PD.jar
file
replaces
the
PDPerm.jar
file
that
was
provided
in
Tivoli
SecureWay
Policy
Director
Version
3.8.
To
make
the
JAR
files
listed
in
Table
1
available
to
a
particular
JRE,
see
“Configuring
the
Java
runtime
component
to
a
particular
Java
runtime
environment”
on
page
4.
2
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Building
Java
applications
with
the
authorization
API
To
develop
Java
applications
that
use
the
Tivoli
Access
Manager
authorization
API,
you
must
install
and
configure
the
required
software.
IBM
Tivoli
Access
Manager
software
requirements
You
must
install
and
configure
a
Tivoli
Access
Manager
secure
domain.
If
you
do
not
have
a
Tivoli
Access
Manager
secure
domain
installed,
install
one
before
beginning
application
development.
The
minimum
installation
consists
of
a
single
system
with
the
following
Tivoli
Access
Manager
components
installed:
v
Tivoli
Access
Manager
runtime
environment
(see
Note
1
on
page
3)
v
Tivoli
Access
Manager
Java
runtime
component
v
Tivoli
Access
Manager
policy
server
v
Tivoli
Access
Manager
authorization
server
v
Tivoli
Access
Manager
ADK
If
you
already
have
a
Tivoli
Access
Manager
secure
domain
installed
and
want
to
add
a
development
system
to
the
domain,
the
minimum
Tivoli
Access
Manager
installation
consists
of
the
following
components:
v
Tivoli
Access
Manager
runtime
environment
(see
Note
1
on
page
3)
v
Tivoli
Access
Manager
Java
runtime
component
v
Tivoli
Access
Manager
ADK
For
Tivoli
Access
Manager
installation
instructions,
refer
to
the
section
of
the
IBM
Tivoli
Access
Manager
Base
Installation
Guide
for
your
operating
system
platform.
Notes:
1.
The
Tivoli
Access
Manager
runtime
environment
component
is
not
needed
for
developing
or
deploying
a
Tivoli
Access
Manager
Java
application.
The
prerequisite
checking
for
the
Tivoli
Access
Manager
ADK
component
is
in
error
and
erroneously
requires
that
the
Tivoli
Access
Manager
runtime
component
be
installed,
even
if
you
are
developing
only
Java
applications
and
simply
need
the
Javadoc
information
and
the
example
files
from
the
ADK
component.
To
save
disk
space,
you
can
copy
the
Javadoc
HTML
information,
consisting
of
the
entire
AM_BASE/nls/javadocs
directory
tree,
to
another
location
on
your
development
system
and
then
uninstall
the
Tivoli
Access
Manager
ADK
and
runtime
components.
Only
the
Tivoli
Access
Manager
Java
runtime
component
is
necessary
for
running
Java
applications.
2.
If
you
intend
to
use
the
Tivoli
Access
Manager
runtime
environment
for
an
authorization
C
API
application,
you
also
must
install
the
IBM
Directory
client
if
an
LDAP
or
Lotus
Domino
server
is
being
used
as
the
user
registry
in
the
secure
domain.
JRE
requirements
On
those
operating
system
platforms
that
support
the
Tivoli
Access
Manager
authorization
API
Java
classes
and
methods,
the
base
installation
CD
contains
an
optionally
installable
JRE.
You
also
can
choose
to
use
any
of
the
supported
JREs
listed
in
the
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes
for
developing
and
deploying
your
Tivoli
Access
Manager
Java
applications.
After
you
have
installed
a
suitable
JRE,
configure
it
for
use
with
Tivoli
Access
Manager
as
outlined
in
the
next
section,
“Configuring
the
Java
runtime
component
to
a
particular
Java
runtime
environment”
on
page
4.
Chapter
1.
Introducing
the
authorization
API
3
Configuring
the
Java
runtime
component
to
a
particular
Java
runtime
environment
Configure
the
Tivoli
Access
Manager
Java
runtime
component
to
use
the
proper
JRE
on
the
system
by
using
the
pdjrtecfg
command.
The
pdjrtecfg
command
copies
the
Tivoli
Access
Manager
JAR
files
to
the
JAVA_HOME/lib/ext
directory
of
the
JRE,
automatically
making
the
Tivoli
Access
Manager
classes
and
methods
available.
The
CLASSPATH
in
your
environment
does
not
need
to
be
modified.
The
Tivoli
Access
Manager
Java
runtime
component
can
be
configured
to
several
different
JREs
on
the
same
system,
if
desired.
See
the
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
for
details.
Security
requirements
The
PD.jar
file
is
signed
and
verified
in
this
version
of
Tivoli
Access
Manager.
The
SvrSslCfg
Java
class
(com.tivoli.pd.jcfg.SvrSslCfg)
must
be
used
to
create
configuration
files
that
are
to
be
used
by
Java
applications.
See
“Configuring
a
Java
application
into
the
secure
domain”
on
page
14
for
details
on
using
the
SvrSslCfg
class.
Note:
The
svrsslcfg
command
line
interface
and
the
SvrSslCfg
Java
utility
are
not
interchangeable.
Do
not
use
the
svrsslcfg
command
line
interface
to
create
configuration
files
that
are
to
be
used
with
Java
applications.
Do
not
use
the
SvrSslCfg
Java
class
to
create
configuration
files
for
use
by
C
applications.
4
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Deploying
a
Java
authorization
API
application
Once
you
have
developed
and
tested
your
Java
application
that
uses
the
Tivoli
Access
Manager
authorization
API,
you
can
deploy
the
application
to
systems
that
are
configured
as
part
of
a
Tivoli
Access
Manager
secure
domain.
The
Tivoli
Access
Manager
Java
runtime
component
is
the
only
Tivoli
Access
Manager
component
that
must
be
installed
on
a
system
to
run
a
Tivoli
Access
Manager
Java
application.
The
Tivoli
Access
Manager
runtime
component
is
not
needed
for
running
Java
applications.
Note:
Information
on
installing
the
Tivoli
Access
Manager
Java
runtime
component
can
be
found
in
the
IBM
Tivoli
Access
Manager
Base
Installation
Guide.
For
information
on
troubleshooting
Java
applications
with
Tivoli
Access
Manager,
see
the
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide.
Chapter
1.
Introducing
the
authorization
API
5
Chapter
2.
Understanding
security
in
IBM
Tivoli
Access
Manager
The
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
authorization
Java
classes
provide
an
implementation
of
Java
security
code
that
is
fully
compliant
with
the
Java
2
security
model
and
the
Java
Authentication
and
Authorization
Service
(JAAS).
The
Tivoli
Access
Manager
authorization
Java
classes
are
described
in
the
following
sections:
v
“Using
Java
2
security
with
IBM
Tivoli
Access
Manager”
on
page
8
v
“Java
Authentication
and
Authorization
Service
(JAAS)
model”
on
page
9
©
Copyright
IBM
Corp.
2002,,
2003
7
Using
Java
2
security
with
IBM
Tivoli
Access
Manager
The
Java
2
security
architecture
is
policy-based,
and
allows
for
fine-grained
access
control.
When
code
is
loaded,
it
is
assigned
permissions
based
on
the
security
policy
currently
in
effect.
Each
permission
specifies
a
permitted
access
to
a
particular
resource,
such
as
read
access
to
a
specified
file,
or
connect
access
to
a
specified
host
and
port.
The
policy
specifies
which
permissions
are
available
for
code
from
various
signers
and
locations.
The
policy
can
be
initialized
from
an
external
configuration
file.
Code
can
access
a
resource
only
if
the
permission
that
guards
the
resource
gives
the
code
explicit
permission.
These
new
concepts
of
permission
and
policy
enable
the
Java
2
to
offer
fine-grained,
highly
configurable,
flexible,
and
extensible
access
control.
Such
access
control
can
now
be
specified
for
all
Java
code,
including
applications,
beans,
and
servlets.
The
Tivoli
Access
Manager
authorization
server
provides
an
SSL-based
access
mode
for
handling
remote
authorization
calls.
The
Tivoli
Access
Manager
Java
authorization
API
uses
this
socket-based
capability
to
provide
functionality
equivalent
to
that
provided
in
the
authorization
C
API
by
the
azn_decision_access_allowed()
and
azn_decision_access_allowed_ext()
functions.
The
azn_decision_access_allowed()
function
requires
the
following
information:
v
Authentication
information
v
Resource
name
v
Access
mode
The
Java
2
permission
model
provides
the
resource
name
and
the
access
mode.
The
Java
Authentication
and
Authorization
Service
(JAAS)
extensions
to
the
Java
2
model
provide
the
authentication
information.
Tivoli
Access
Manager
functions
as
a
back-end
for
normal
Java
2
permission
checks
by
providing:
v
A
custom
JAAS
LoginModule
that
manufactures
authentication
credentials.
v
A
custom
permission
class
that
knows
how
to
locate
and
call
Tivoli
Access
Manager.
Note:
Tivoli
Access
Manager
Java
authorization
servers
operate
as
remote
mode
servers,
even
when
configured
as
local
mode
servers.
Local
cache
mode
is
not
supported
by
the
Tivoli
Access
Manager
Java
authorization
API.
8
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Java
Authentication
and
Authorization
Service
(JAAS)
model
The
Java
2
permission
model
takes
into
account
the
following
information:
v
The
physical
origin
(the
directory
or
URL)
of
the
classes
that
are
currently
active.
v
The
logical
origin
of
those
classes.
v
The
identity
of
the
organization
that
produced
the
classes,
as
proved
by
digital
signature.
This
model
serves
well
the
browsers
that
first
popularized
Java,
as
it
deals
effectively
with
the
issues
of
mobile
code.
JAAS
augments
the
current
Java
2
runtime
to
add
knowledge
of
the
user
who
is
trying
to
run
the
application.
This
knowledge
provides
the
authentication
information
needed
when
implementing
the
security
model.
JAAS
augments
the
Java
2
security
model
to
enable
the
following
features:
v
Specification
of
permissions
based
on
a
user’s
identity.
v
Enforcement
of
those
permissions
at
application
runtime.
These
two
features
provide
the
authorization
functionality
needed
when
implementing
the
security
model.
The
following
sections
describe
how
Tivoli
Access
Manager
authorization
Java
Classes
use
the
JAAS
model:
v
“Authenticating
users
and
obtaining
credentials”
on
page
9
v
“Authorizing
access
requests”
on
page
10
Authenticating
users
and
obtaining
credentials
The
Tivoli
Access
Manager
Java-based
authentication
feature
is
built
around
the
Java
Authentication
and
Authorization
Services
(JAAS)
model.
Note:
More
information
on
the
JAAS
can
be
found
at
this
Web
site:
http://java.sun.com/products/jaas
Tivoli
Access
Manager
provides
one
JAAS
LoginModule.
You
can
use
the
module
in
two
different
ways.
You
can
use
it
to
authenticate
a
user
and
obtain
the
user’s
credentials.
Alternatively,
you
can
use
it
just
to
obtain
the
user’s
credentials.
Authenticating
with
a
user
name
and
password
In
order
to
authenticate
a
user,
the
LoginModule
requires
that
the
calling
application
provide
the
following:
v
A
principal
name,
specified
as
either
a
short
name
or
an
X.500
name
(DN)
v
A
password
The
LoginModule
authenticates
the
principal
and
returns
the
Tivoli
Access
Manager
credential.
The
LoginModule
expects
the
calling
application
to
provide
the
following
information:
v
The
user
name,
through
a
javax.security.auth.callback.NameCallback
v
The
password,
through
a
javax.security.auth.callback.PasswordCallback.
When
the
Tivoli
Access
Manager
credential
is
successfully
retrieved,
the
JAAS
LoginModule
creates
a
Subject
and
a
PDPrincipal.
Chapter
2.
Understanding
security
in
IBM
Tivoli
Access
Manager
9
Retrieving
credentials
without
authenticating
To
retrieve
credentials
without
authenticating,
the
calling
application
can
call
the
JAAS
Login
Module
with
only
a
principal
name
as
a
short
name
or
an
X.500
name
(DN).
The
LoginModule
will
expect
the
calling
application
to
provide
the
user
name
through
a
javax.security.auth.callback.NameCallback.
Using
the
login
configuration
file
You
can
use
an
entry
in
the
login
configuration
file
to
specify
which
of
two
login
modes
your
application
uses.
You
can
configure
the
module
to
either
require
both
a
user
name
and
a
password,
or
just
a
user
name.
This
configuration
takes
the
form
of
an
optional
keyword,
nameOnly=true.
If
nameOnly
is
omitted
or
specified
to
be
false,
both
the
user
name
and
the
password
are
required.
Authorizing
access
requests
The
Tivoli
Access
Manager
authorization
Java
classes
are
built
around
JAAS
and
the
Java
2
security
model.
The
Tivoli
Access
Manager
API
closely
follows
the
Java
2
permission
model.
Note:
For
more
information
on
the
Java
2
security
model,
see:
http://java.sun.com/j2se/1.3/docs/guide/security/index.html
The
Tivoli
Access
Manager
authorization
API
Java
classes
provide
a
new
permission
class
named
PDPermission.
This
class
extends
the
abstract
class
com.ibm.IBMPermission,
which
extends
the
abstract
class
java.security.Permission.
PDPermission
establishes
the
SSL-protected
socket
communications
protocol
which
is
used
to
talk
to
Tivoli
Access
Manager.
An
entry
needs
to
be
made
in
the
JAAS
policy
file
to
insure
that
the
JAAS
security
code
calls
the
implies()
method
in
the
PDPermission
class
described
below.
This
entry
could
be
made
specific
to
particular
codebases,
as
desired.
For
Java
1.3.X
you
must
define
your
JAAS
policy
in
its
own
file
and
then
specify
the
URL
in
the
java.security
file
using
the
property
auth.policy.url.X
(where
X
is
an
integer).
For
example:
auth.policy.url.1=file:${java.home}/lib/security/jaas.policy
Alternatively,
you
can
use
the
Java
interpreter’s
–D
flag
to
specify
the
JAAS
policy
file.
For
example:
java
-Dauth.policy.url.1=file:/opt/PolicyDirector/etc/jaas.policy
Note:
For
Java
1.4,
you
can
specify
the
JAAS
policy
directly
in
the
java.policy
file
found
in
java_home/lib/security.
You
can
also
use
the
same
method
as
for
Java
1.3.X.grant
signedBy
“xxx”
codeBase
“file:/E:/Program
Files/aaa/bbb/ccc”
principal
com.tivoli.mts.PDPrincipal
“*”
{
permission
com.tivoli.mts.PDPermission
“ignoreme”
"a";
};
The
contents
of
the
action
string
ignoreme
above
are
unimportant
because
the
PDPermission
class
ignores
them.
This
is
because
Tivoli
Access
Manager
acts
as
10
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
the
repository
for
security
policy.
The
intent
of
this
entry
is
to
get
the
Java
security
code
to
call
the
implies()
method
when
some
resource
manager
checks
to
see
if
a
permission
is
held.
The
PDPermission
class
implements
a
constructor
plus
the
following
methods:
implies()
Checks
whether
Tivoli
Access
Manager
grants
the
specified
permissions.
equals()
Determines
if
two
PDPermission
objects
are
equal.
getActions()
Returns
the
canonical
string
representation
of
the
actions.
hashCode()
Returns
the
hash
code
value
for
the
object.
The
implies()
method
flow
consists
of
the
following
steps:
1.
Use
the
static
getSubject()
method
to
retrieve
the
current
Subject.
(Subject
was
created
by
the
PDLoginModule
class,
and
placed
on
the
current
thread
of
execution
by
the
resource
manager.)
2.
If
the
Subject
contains
a
Principal
of
type
com.tivoli.mts.PDPrincipal,
then
the
appropriate
credentials
are
secured
for
the
call
to
Tivoli
Access
Manager.
The
example
below
illustrates
one
way
a
resource
manager,
such
as
a
Web
server
or
Enterprise
Java
Beans
container,
would
place
the
Subject
on
the
current
thread
of
execution.
Subject.doAs(whoami,
new
java.security.PrivilegedAction()
{
public
java.lang.Object
run()
{}
});
At
this
point
the
PDPermission
class
has
all
the
information
required
to
make
the
authorization
call
to
Tivoli
Access
Manager.
The
code
sample
below
shows
a
typical
authorization
check
that
invokes
the
Tivoli
Access
Manager
through
the
PDPermission
class
implementation.
The
checkPermission()
method
returns
quietly
unless
it
fails,
in
which
case
it
throws
a
java.lang.SecurityException.
PDPermission
perm
=
new
PDPermission(“/MyResourceManager/private”,
“[simple]rT[newActionGroup1]Z”);
SecurityManager.checkPermission(perm);
Chapter
2.
Understanding
security
in
IBM
Tivoli
Access
Manager
11
Chapter
3.
Using
the
authorization
API
This
chapter
covers
the
following
topics:
v
“Configuring
a
Java
application
into
the
secure
domain”
on
page
14
v
“Configuring
the
Java
Authentication
and
Authorization
Service”
on
page
19
v
“Developing
a
resource
manager”
on
page
20
v
“Making
authorization
decisions
outside
of
Java
2”
on
page
21
v
“Obtaining
entitlements
for
a
specified
user”
on
page
22
©
Copyright
IBM
Corp.
2002,,
2003
13
Configuring
a
Java
application
into
the
secure
domain
Java
applications
that
use
Tivoli
Access
Manager
security
must
be
configured
into
a
Tivoli
Access
Manager
secure
domain.
Tivoli
Access
Manager
provides
a
utility
class
called
com.tivoli.pd.jcfg.SvrSslCfg
that
can
be
used
to
accomplish
the
necessary
configuration
and
unconfiguration
tasks.
This
section
describes
those
tasks,
and
provides
example
command
line
syntax
for
each
task.
You
can
use
SvrSslCfg
to
accomplish
the
following
tasks:
v
“Configuring
an
application
server”
on
page
15
v
“Unconfiguring
an
application
server”
on
page
16
v
“Adding
a
policy
or
authorization
server”
on
page
16
v
“Removing
a
policy
or
authorization
server”
on
page
17
v
“Changing
a
policy
or
authorization
server”
on
page
17
v
“Replacing
a
certificate”
on
page
17
v
“Setting
the
port”
on
page
17
v
“Setting
the
database
directory”
on
page
17
v
“Setting
the
database
refresh
interval”
on
page
18
v
“Setting
the
application
listening
mode”
on
page
18
The
examples
in
this
chapter
use
the
values
shown
in
Table
2.
Table
2.
Sample
information
used
for
SvrSslCfg
examples
Information
Value
Administrator
user
ID
sec_master
Administrator
password
secpw
Policy
server,
TCP/IP
communications
port
number,
and
rank
(default
port
is
7135)
ampolicy.myco.com:7135:1
This
entry
can
also
be
used
to
specify
a
policy
server
proxy.
The
location,
port,
and
rank
of
the
policy
server
proxy
must
be
specified.
The
default
port
for
a
proxy
is
7138.
Authorization
server,
TCP/IP
communications
port
number,
and
rank
(default
port
is
7136)
amazn.myco.com:7136:1
Host
name
of
Java
application
system
jsys.myco.com
TCP/IP
port
on
which
the
application
server
listens
for
communications
from
the
policy
server
999
Application
server
password
pw
Tivoli
Access
Manager
application
ID
PDPermissionjapp
The
application
ID
must
be
unique.
Other
instances
of
the
application
running
on
this
or
other
systems
must
each
be
given
a
unique
ID.
Tivoli
Access
Manager
domain
mydomain
14
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Table
2.
Sample
information
used
for
SvrSslCfg
examples
(continued)
Information
Value
Configuration
file
c:\am\config_file.conf
Note
that
SvrSslCfg
creates
this
configuration
file
when
called
with
–action
config.
When
SvrSslCfg
is
called
with
other
options
(for
example,
–action
addsvr),
the
configuration
file
is
expected
to
already
exist.
Keystore
file
c:\am\keystore_file.ks
Note
that
SvrSslCfg
creates
this
keystore
file
when
called
with
–action
config.
When
SvrSslCfg
is
called
with
other
options
(for
example,
–action
addsvr),
the
keystore
file
is
expected
to
already
exist.
A
detailed
command
reference
for
the
SvrSslCfg
class
can
be
found
in
Appendix
A,
“com.tivoli.pd.jcfg.SvrSslCfg,”
on
page
31.
Compatibility
Note:
The
com.tivoli.mts.SvrSslCfg
class
has
been
deprecated.
The
new
com.tivoli.pd.jcfg.SvrSslCfg
class
does
not
support
either
of
the
positional
parameter
formats
used
in
Tivoli
SecureWay
Policy
Director
Version
3.8
or
Tivoli
Access
Manager
Version
3.9.
Existing
Java
applications
need
to
be
modified
to
use
the
new
class.
Configuring
an
application
server
Tivoli
Access
Manager
uses
a
self-generated
and
self-signed
certificate
to
authenticate
its
Secure
Sockets
Layer
(SSL)
communications.
The
Tivoli
Access
Manager
authorization
API
Java
classes
must
be
able
to
determine
the
certificate
that
Tivoli
Access
Manager
is
using
in
order
to
establish
its
SSL
communication.
You
also
must
establish
an
identity
for
the
Java
application.
The
SvrSslCfg
class
is
used
to
create
a
Tivoli
Access
Manager
user
account
for
an
application
server
and
to
store
the
server’s
configuration
and
certificate
information
in
local
configuration
and
keystore
files.
After
obtaining
the
necessary
information,
use
the
SvrSslCfg
option
-action
config
to
create
the
Tivoli
Access
Manager
application
name,
the
configuration
file,
and
the
keystore
file.
Configuring
an
application
server
creates
user
and
server
information
in
the
user
registry
as
well
as
creates
local
configuration
and
keystore
files.
When
using
-action
config,
you
must
also
specify
whether
you
are
creating
or
replacing
the
configuration
and
keystore
files.
The
-cfg_action
create
option
is
used
to
initially
create
the
configuration
and
keystore
files.
Use
-cfg_action
replace
if
these
files
already
exist.
If
the
-cfg_action
create
option
is
used
and
the
configuration
or
keystore
files
already
exist,
an
exception
is
thrown.
Tivoli
Access
Manager
supports
application
servers
in
either
remote
mode
or
local
mode.
A
sample
configuration
command
for
each
mode
is
shown
below.
Chapter
3.
Using
the
authorization
API
15
Configuring
remote
mode
Based
on
the
sample
information
shown
in
Table
2
on
page
14,
the
command
to
establish
an
SSL
connection
between
japp.myco.com
and
the
Tivoli
Access
Manager
secure
domain,
in
remote
mode,
could
be
as
follows:
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
config
\
-admin_id
sec_master
-admin_pwd
secpw
\
-appsvr_id
PDPermissionjapp
-appsvr_pwd
pw
-host
jsys.myco.com
\
-mode
remote
-port
999
-policysvr
ampolicy.myco.com:7135:1
\
-authzsvr
amazn.myco.com:7136:1
-cfg_file
c:/am/config_file.conf
\
-key_file
c:/am/keystore_file.ks
-domain
mydomain
-cfg_action
create
Compatibility
Note:
In
Tivoli
SecureWay
Policy
Director
Version
3.8,
the
arguments
for
the
deprecated
com.tivoli.mts.SvrSslCfg
class
did
not
allow
the
specification
of
the
configuration
and
keystore
files
and
required
that
the
account
for
the
application
be
created
on
the
policy
server
prior
to
invoking
the
class.
In
Tivoli
Access
Manager.
These
are
now
supported
in
one
operation
using
the
com.tivoli.pd.jcfg.SvrSslCfg
class.
Configuring
local
mode
Based
on
the
sample
information
shown
in
Table
2
on
page
14,
the
command
to
establish
an
SSL
connection
between
the
Java
application
and
Tivoli
Access
Manager
secure
domain
in
local
mode
might
be
as
follows:
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
config
\
-admin_id
sec_master
-admin_pwd
secpw
\
-appsvr_id
PDPermissionjapp
-host
jsys.myco.com
\
-mode
local
-port
999
-policysvr
ampolicy.myco.com:7135:1
\
-authzsvr
amazn.myco.com:7136:1
-cfg_file
c:/am/config_file.conf
\
-key_file
c:/am/keystore_file.ks
-domain
mydomain
-cfg_action
create
Note:
Tivoli
Access
Manager
Java
authorization
servers
operate
as
remote
mode
servers,
even
when
configured
as
local
mode
servers.
Local
cache
mode
is
not
supported
by
the
Tivoli
Access
Manager
Java
authorization
API.
Note
also
that
local
mode
was
not
available
in
Tivoli
SecureWay
Policy
Director
Version
3.8
or
Tivoli
Access
Manager
Version
3.9.
Unconfiguring
an
application
server
The
-action
unconfig
option
removes
the
user
and
server
information
from
the
user
registry,
deletes
the
local
keystore
file
and
removes
information
for
this
application
from
the
configuration
file
but
does
not
delete
the
configuration
file.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
unconfig
\
-admin_id
sec_master
-admin_pwd
secpw
\
-appsvr_id
PDPermissionjapp
-host
jsys.myco.com
\
-policysvr
ampolicy.myco.com:7135:1
\
-cfg_file
c:/am/config_file.conf
-domain
mydomain
The
unconfiguration
operation
fails
only
if
the
caller
is
unauthorized
or
the
policy
server
cannot
be
contacted.
Adding
a
policy
or
authorization
server
The
-action
addsvr
option
adds
a
policy
or
authorization
server
to
the
application
server’s
configuration
file.
To
add
a
policy
server:
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
addsvr
\
-policysvr
ampolicy3.myco.com:7135:2
\
-cfg_file
c:/am/config_file.conf
16
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
To
add
an
authorization
server:
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
addsvr
\
-authzsvr
am2azn.myco.com:7136:2
\
-cfg_file
c:/am/config_file.conf
Removing
a
policy
or
authorization
server
The
-action
rmsvr
option
to
remove
a
policy
or
authorization
server
from
the
configuration
file.
To
remove
a
policy
server:
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
rmsvr
\
-policysvr
ampolicy.myco.com:7135:1
\
-cfg_file
c:/am/config_file.conf
To
remove
an
authorization
server:
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
rmsvr
\
-authzsvr
amazn.myco.com:7136:1
\
-cfg_file
c:/am/config)file.conf
Changing
a
policy
or
authorization
server
Use
the
-action
chgsvr
option
to
change
the
port
or
rank
for
a
policy
or
authorization
server
in
the
configuration
file.
Do
not
use
this
option
to
change
the
host
name.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
chgsvr
\
-policysvr
ampolicy2.myco.com:7135:2
\
-cfg_file
c:/am/config_file.conf
or
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
chgsvr
\
-authzsvr
amazn.myco.com:7136:1
\
-cfg_file
c:/am/config_file.conf
Replacing
a
certificate
The
certificate
in
the
keystore
expires
based
on
the
certificate
lifetime
set
on
the
policy
server.
After
the
certificate
expires,
the
-action
replcert
option
must
be
used
to
generate
a
new
certificate.
The
new
certificate
replaces
the
existing
certificate
in
the
application
server’s
keystore
file.
The
-action
replcert
option
also
can
be
used
to
invalidate
an
existing
certificate,
which
is
useful
should
a
certificate
become
compromised.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
replcert
\
-admin_id
sec_master
-admin_pwd
secpw
\
-appsvr_id
PDPermissionjapp
-cfg_file
c:/am/config_file.conf
Setting
the
port
Use
the
-action
setport
option
to
set
the
port
on
which
the
application
server
listens.
This
only
updates
the
application
server’s
configuration
file.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
setport
\
-port
4321
-cfg_file
c:/am/configfile
Setting
the
database
directory
Use
the
-action
setdbdir
option
on
local-mode
application
servers
to
set
the
directory
where
a
local
copy
of
the
policy
database
is
stored.
This
only
updates
the
application
server’s
configuration
file.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
setdbdir
\
-dbdir
c:/production/policy
-cfg_file
c:/am/config_file.conf
Chapter
3.
Using
the
authorization
API
17
Setting
the
database
refresh
interval
Use
the
-action
setdbref
option
on
local-mode
application
servers
to
set
the
refresh
interval
for
the
local
copy
of
the
policy
database.
The
time
interval
is
specified
in
seconds.
This
only
updates
the
application
server’s
configuration
file.
The
following
example
sets
the
interval
to
every
60
minutes.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
setdbref
\
-dbrefresh
3600
-cfg_file
c:/am/config_file.conf
Setting
the
application
listening
mode
Use
the
-action
setdblisten
option
on
local-mode
application
servers
to
indicate
whether
or
not
the
application
listens
for
policy
database
update
notifications.
This
only
updates
the
application
server’s
configuration
file.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
setdblisten
\
-dblisten
true
-cfg_file
c:/am/config_file.conf
18
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Configuring
the
Java
Authentication
and
Authorization
Service
This
section
describes
how
to
set
up
and
use
a
login
configuration
file
with
the
Tivoli
Access
Manager
authorization
API
Java
classes.
The
Tivoli
Access
Manager
configuration
steps
follow
the
configuration
methods
supported
by
the
Java
Authentication
and
Authorization
Service
(JAAS).
This
section
does
not
provide
an
overview
of
all
of
the
JAAS
configuration
options.
To
review
the
JAAS
configuration
information,
see
the
following
Web
site:http://java.sun.com/products/jaas
Complete
the
instructions
in
the
following
sections:
v
“Creating
a
login
configuration
file”
on
page
19
v
“Specify
the
login
file
location”
on
page
19
Creating
a
login
configuration
file
Use
the
sample
file
shown
in
Figure
1
as
the
basis
for
creating
a
login
configuration
file
for
use
with
Tivoli
Access
Manager.
No
default
login
configuration
file
is
shipped
as
part
of
Tivoli
Access
Manager.
Note
that
the
last
stanza
allows
applications
that
use
pd-nopass
in
their
LoginContext
constructor
to
simply
supply
user
names
but
not
passwords.
For
more
information,
see
the
Javadoc
information
for
com.tivoli.mts.PDLoginModule.
Specify
the
login
file
location
Choose
one
of
the
following
ways
to
specify
the
location
of
the
login
file:
v
Point
to
the
login
configuration
file
from
the
JAVA_HOME/jre/lib/security/java.security
file.
For
example,
a
sample
entry
from
the
java.security
file
might
look
like
this:
login.config.url.1=file:d:/Java/j131ibm/jre/lib/security/config.pd
v
Specify
the
appropriate
-D
option
on
the
java
command
line
invocation,
such
as:
–Djava.security.auth.login.config=./config.pd
For
more
information,
see
the
JAAS
configuration
documentation.
////
config.pd:
Login
configuration
file
for
PDLoginModule
pd-debug
{
com.tivoli.mts.PDLoginModule
required
debug=true;
};
pd
{
com.tivoli.mts.PDLoginModule
required;
};
pd-nopass
{
com.tivoli.mts.PDLoginModule
required
nameOnly=true;
};
Figure
1.
JAAS
login
configuration
file
Chapter
3.
Using
the
authorization
API
19
Developing
a
resource
manager
A
resource
manager
is
a
Java
application
that
uses
the
JAAS
and
the
Tivoli
Access
Manager
authorization
API
Java
classes
to
make
access
control
decisions.
The
sample
code
in
Figure
2
illustrates
the
tasks
that
the
resource
manager
must
perform.
//
Identify
the
configuration
status
and
callback
routine
lc
=
new
LoginContext(“pd-debug”,
np);
//
Drive
the
login()
and
commit()
methods
of
the
LoginModule
class
lc.login();
whoami
=
lc.getSubject();
System.out.println(whoami);
//
Become
that
user
Subject.doAsPrivileged(whoami,
new
java.security.PrivilegedAction()
{
public
java.lang.Object
run()
{
boolean
worked;
java.security.Permission
perm
=
new
PDPermission(“/test/private”,
“a”);
try
{
//
sm
is
a
reference
to
a
SecurityManager
sm.checkPermission(perm);
worked
=
true;
}
catch
(AccessControlException
e)
{
if
(VERBOSE)
e.printStackTrace();
worked
=
false;
}
if
(worked)
{
System.out.println(“user
“
+
user
+
“
has
\”\””+perm.getActions()+”\”
permission(s)
to
target
“+perm.getName());
}
else
{
System.out.println(“user
“
+
user
+
“
DOES
NOT
HAVE
\”\””+perm.getActions()+”\”
permission(s)
to
target
“+perm.getName());
}
}
},
(java.security.AccessControlContext)null
)
;
Figure
2.
Resource
manager
task
example
20
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Making
authorization
decisions
outside
of
Java
2
The
Tivoli
Access
Manager
authorization
API
Java
classes
also
support
a
completely
Java-compliant
usage
of
the
Tivoli
Access
Manager
authorization
check
that
is
outside
of
the
Java
2
and
JAAS
framework.
The
PDPrincipal
class
has
a
constructor
that
takes
a
name
and
password
and
authenticates
to
Tivoli
Access
Manager
as
part
of
the
construction
of
the
object.
The
PDPrincipal
class
also
has
a
constructor
that
simply
takes
a
name.
A
security
check
is
performed
on
the
current
environment
when
one
is
using
the
no-password
version
of
the
constructor.
The
permission
that
must
be
held
is:
permission
javax.security.auth.AuthPermission
“createPDPrincipal”
If
authorized,
the
constructor
retrieves
the
authentication
information
from
Tivoli
Access
Manager
for
that
entity.
The
names
that
are
supported
on
these
constructors
can
either
be
Tivoli
Access
Manager
short
names,
or
distinguished
names.
After
you
have
constructed
a
PDPrincipal
object
for
the
specified
entity,
construct
a
PDPermission
with
the
name
of
the
requested
resource,
the
protected
object,
and
the
requested
action
to
be
performed
on
that
object.
Then
invoke
the
PDPrincipal.implies(PDPermission)
method
to
determine
if
the
specified
access
to
the
specified
object
is
allowed
by
the
specified
entity.
The
sample
in
Figure
3
shows
an
example
of
how
to
perform
these
tasks.
PDPrincipal
whoIsIt
=
new
PDPrincipal(“tom”,
“letmein”.toCharArray());
PDPermission
whatTheyWant
=
new
PDPermission(“/everything”,
“abT”);
boolean
haveAccess
=
whoIsIt.implies(whatTheyWant);
if
(haveAccess)
{
//
let
them
proceed...
}
else
{
//
deny
the
requested
access
}
Figure
3.
Example
showing
authorization
outside
of
Java
2
Chapter
3.
Using
the
authorization
API
21
Obtaining
entitlements
for
a
specified
user
The
authorization
API
supports
a
service
plug-in
model
that
enables
developers
to
add
modules
that
extend
the
capabilities
of
Tivoli
Access
Manager.
The
entitlements
service
plug-in
is
the
only
type
of
plug-in
that
is
callable
from
a
Java
application
at
this
time.
An
entitlements
service
plug-in
enables
authorization
API
applications
for
a
specific
Tivoli
Access
Manager
secure
domain
to
retrieve
the
entitlements
for
a
user
from
the
policy
repository
for
that
secure
domain.
An
entitlements
service
allows
a
third-party
application
running
in
the
secure
domain
to
call
a
specific
entitlements
service
based
on
its
service
ID.
If
no
service
ID
is
provided,
the
default
entitlements
service
plug-in
is
called.
An
entitlements
service
plug-in,
like
other
authorization
service
plug-ins,
must
be
installed
and
configured
before
use.
Tivoli
Access
Manager
provides
a
default
entitlement
service
called
the
Tivoli
Access
Manager
protected
objects
entitlements
service
that
is
specific
to
the
Tivoli
Access
Manager
environment.
This
entitlements
service
plug-in
accepts
a
single,
multi-valued
string
attribute
that
specifies
one
or
more
root
nodes
for
searching
the
Tivoli
Access
Manager
protected
object
space
along
with
an
indicator
of
what
access
permissions
are
required.
The
plug-in
returns
a
multi-valued
attribute
list
of
protected
objects
meeting
the
search
criteria.
This
entitlement
service
can
be
called
from
a
Java
application
by
using
the
PDPrincipal.getEntitlements
method,
which
is
equivalent
to
using
the
azn_entitlements_get_entitlements()
function
from
a
C
application.
Figure
4
shows
a
call
to
the
protected
objects
entitlements
service
requesting
a
list
of
objects
in
the
/AppData/AccountData
and
/AppData/EmployeeData
object
trees
to
which
the
principal
has
view
and
modify
permission.
The
protected
objects
entitlements
service
returns
a
multi-valued
attribute
list
consisting
of
byte
arrays
or
Strings
representing
the
protected
objects
to
which
the
PDAttrs
attrsIn
=
new
PDAttrs(true);
PDAttrs
attrsOut
=
new
PDAttrs(true);
//
Does
user
have
view
and
modify
access
to
desired
resources?
attrsIn.add(PDStatics.AZN_ENT_SVC_PD_POBJ_PATH,
"/AppData/AccountData");
attrsIn.add(PDStatics.AZN_ENT_SVC_PD_POBJ_PATH,
"/AppData/EmployeeData");
attrsIn.add(PDStatics.AZN_ENT_SVC_PD_POBJ_REQD_OPS,
"vm");
attrsOut
=
principal.getEntitlements(PDStatics.AZN_ENT_SVC_PD_POBJ,
attrsIn);
//
Is
user
entitled
to
anything?
PDAttrValues
results
=
attrsOut.get(PDStatics.AZN_ENT_SVC_PD_POBJ_MATCHES);
if
((results
==
null)
||
(results.isEmpty()))
{
System.out.println("Nothing
found.");
break
major;
}
//
Process
String
or
byte
array
results...
Figure
4.
Using
the
PDPrincipal.getEntitlements
method
22
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
principal
has
the
desired
access
permission.
The
sample
code
in
Figure
5
demonstrates
printing
the
results.
Additional
information
on
the
entitlements
service
plug-in
as
well
as
the
other
types
of
authorization
service
plug-ins
can
be
found
in
the
IBM
Tivoli
Access
Manager
for
e-business
Authorization
C
API
Developer
Reference.
//
Process
results
of
getEntitlements
PDAttrValues
results
=
attrsOut.get(PDStatics.AZN_ENT_SVC_PD_POBJ_MATCHES);
if
((results
==
null)
||(results.isEmpty()))
{
System.out.println("Nothing
found");
break
major;
}
java.util.Iterator
iter
=
results.iterator();
while
(iter.hasNext())
{
Object
value
=
((PDAttrValue)iter.next()).getValue();
System.out.println(value.toString());
}
Figure
5.
Processing
protected
objects
returned
Chapter
3.
Using
the
authorization
API
23
Chapter
4.
Java
classes
overview
This
chapter
discusses
the
Tivoli
Access
Manager
authorization
API
Java
classes:
v
“com.tivoli.mts.PDLoginModule”
on
page
25
v
“com.tivoli.mts.PDPrincipal”
on
page
25
v
“com.tivoli.mts.PDPermission”
on
page
26
v
“com.tivoli.pd.jutil.PDAttrs”
on
page
26
v
“com.tivoli.pd.jutil.PDAttrValueList”
on
page
27
v
“com.tivoli.pd.jutil.PDAttrValues”
on
page
28
v
“com.tivoli.pd.jutil.PDStatics”
on
page
28
See
the
Javadoc
information
in
the
Tivoli
Access
Manager
ADK
for
detailed
information
about
all
of
these
classes
and
their
associated
methods.
com.tivoli.mts.PDLoginModule
This
class
enables
a
user
to
authenticate
to
Tivoli
Access
Manager
using
a
user
name
and
password.
This
class
must
be
run
inside
the
JAAS
framework.
public
class
PDLoginModule
implements
javax.security.auth.spi.LoginModule{
public
PDLoginModule()
public
login()
public
logout()
public
abort()
public
commit()
public
initialize(javax.security.auth.Subject
subject,
javax.security.auth.callback.CallbackHandler
callbackHandler,
java.util.Map
sharedState,
java.util.Map
options)
}
com.tivoli.mts.PDPrincipal
This
class
represents
the
identity
of
a
Tivoli
Access
Manager
user.
Note
that
the
PDPrincipal
object
can,
when
necessary,
be
deserialized.
When
this
is
done,
use
the
setConfig()
method
to
set
configuration
information
within
the
reconstructed
object.
For
more
information,
see
the
javadoc
reference
page
for
com.tivoli.mts.PDPrincipal.
public
class
PDPrincipal
implements
java.security.Principal,
com.ibm.security.auth.PrincipalComparator,
java.io.Externalizable
{
public
PDPrincipal()
public
PDPrincipal(byte[]
creds,
URL
configURL)
public
PDPrincipal(String
name)
public
PDPrincipal(String
name,
char[]
password)
public
PDPrincipal(String
name,
char[]
password,
URL
configURL)
public
PDPrincipal(String
name,
String
creds,
URL
configURL)
public
PDPrincipal(String
name,
URL
configURL)
public
PDPrincipal(URL
configURL)
public
PDPrincipal
addGroupMemberships(String
service
ID,
©
Copyright
IBM
Corp.
2002,,
2003
25
String[]
groups)
public
boolean
equals(Object
o)
public
PDAttrs
getEntitlements(String
serviceID,
PDAttrs
attrsIn)
public
String
getName()
public
byte[]
getPAC()
public
int
hashCode()
public
void
readExternal(
ObjectInput
in)
public
void
writeExternal(ObjectOutput
out)
public
void
setConfig(URL
configURL)
public
String
toString()
public
boolean
implies(javax.security.auth.Subject
subject)
public
boolean
implies(PDPermission
perm)
public
boolean
implies(PDPermission
perm,
PDAttrs
attrsIn,
PDAttrs
attrsOut)
}
com.tivoli.mts.PDPermission
This
class
represents
an
authorization
permission
for
accessing
a
protected
resource
object
in
a
secure
domain
defined
by
Tivoli
Access
Manager.
PDPermission
allows
usage
of
Tivoli
Access
Manager
as
the
authorization
engine
for
normal
Java
2
permission
checks.
public
class
PDPermission
{
public
PDPermission(java.lang.String
rname,
java.lang.String
actions)
public
boolean
implies(java.security.Permission
p)
public
boolean
implies(PDPrincipal
princ)
public
boolean
implies(PDPrincipal
princ,
PDAttrs
inputList,
PDAttrs,
outputList)
public
boolean
equals(Object
obj)
public
String
getActions()
public
int
hashCode()
}
com.tivoli.pd.jutil.PDAttrs
This
class
represents
a
collection
of
attributes.
Attributes
are
used
to
encapsulate
input
and
output
data
sent
to
and
received
from
authorization
and
administration
service
functions.
Each
attribute
consists
of
entries
that
have
a
name
and
one
or
more
values.
The
names
are
Strings,
and
the
values
can
of
type
String,
byte
array,
Long,
or
PDAdmSvcPobj.
Several
of
the
constructors
for
this
class
use
the
context
parameter,
of
class
com.tivoli.pd.jutil.PDBasicContext.
This
is
a
superclass
of
the
Tivoli
Access
Manager
contexts.
The
context
that
should
be
passed
for
the
authorization
APIs
is
a
subclass
such
as
PDContext.
public
class
PDAttrs
extends
com.tivoli.pd.jutil.PDEnvironmentObject
implements
java.lang.Cloneable,
java.io.Serializable
{
public
PDAttrs(com.tivoli.pd.jutil.PDBasicContext
context)
public
PDAttrs(com.tivoli.pd.jutil.PDBasicContext
context,
boolean
allowDuplicates)
public
PDAttrs(PDAttrs
that)
public
PDAttrs(com.tivoli.pd.jutil.PDBasicContext
context,
byte[]
serverData)
public
PDAttrs(com.tivoli.pd.jutil.PDBasicContext
context,
com.tivoli.pd.jasn1.attrlist_t
alt)
public
java.util.Collection
add(java.lang.String
name,
PDAttrValues
vals)
public
java.util.Collection
add(java.lang.String
name,
java.util.Collection
vals)
public
java.util.Collection
add(java.lang.String
name,
java.lang.String
value)
26
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
public
java.util.Collection
add(java.lang.String
name,
java.lang.Long
value)
public
java.util.Collection
add(java.lang.String
name,
PDAdmSvcPobj
value)
public
java.util.Collection
add(java.lang.String
name,
byte[]
value)
public
void
addAll(PDAttrs
attrs)
public
void
clear()
public
boolean
delete(java.lang.String
key)
public
java.lang.Object
clone()
public
java.util.Set
entrySet()
public
boolean
equals(java.lang.Object
obj)
public
PDAttrValues
get(java.lang.String
key)
public
java.util.Collection
getValues(java.lang.String
key)
public
int
getQoP()
public
boolean
allowDups()
public
int
hashCode()
public
java.util.Set
keySet()
public
void
setQoP(int
qop)
public
int
size()
public
java.lang.String
toString()
public
com.tivoli.pd.jasn1.attrlist_t
getAttrlist_t()
public
void
getAttrlist_t(com.tivoli.pd.jasn1.attrlist_t
alt)
}
com.tivoli.pd.jutil.PDAttrValue
This
class
represents
the
value
of
a
Tivoli
Access
Manager
attribute.
A
value
may
be
a
String,
a
byte
array,
a
Long,
or
a
PDAdmSvcPobj.
public
class
PDAttrValue
extends
com.tivoli.pd.jutil.PDEnvironmentObject
implements
java.lang.Cloneable,
java.io.Serializable{
public
PDAttrValue(com.tivoli.pd.jutil.PDBasicContext
context,
java.lang.String
string)
public
PDAttrValue(com.tivoli.pd.jutil.PDBasicContext
context,
byte[]
bytes)
public
PDAttrValue(com.tivoli.pd.jutil.PDBasicContext
context,
PDAdmSvcPobj
pobj)
public
PDAttrValue(com.tivoli.pd.jutil.PDBasicContext
context,
java.lang.Long
ulong)
public
boolean
equals(java.lang.Object
iobj)
public
java.lang.Object
getValue()
public
int
getType()
public
int
hashCode()
public
java.lang.Object
clone()
public
java.lang.String
toString()
}
com.tivoli.pd.jutil.PDAttrValueList
This
class
represents
the
list
of
values
for
one
attribute.
Each
value
must
be
a
PDAttrValue.
The
list
is
ordered
and
allows
duplicates.
public
class
PDAttrValueList
extends
java.util.ArrayList
implements
java.lang.Cloneable,
java.io.Serializable{
public
PDAttrValueList(com.tivoli.pd.jutil.PDBasicContext
context)
public
PDAttrValueList(com.tivoli.pd.jutil.PDBasicContext
context,
java.util.Collection
c)
public
java.lang.Object
set(int
index,
java.lang.Object
element)
public
boolean
add(java.lang.Object
element)
public
void
add(int
index,
java.lang.Object
element)
public
boolean
addAll(java.util.Collection
c)
public
boolean
addAll(int
index,
java.util.Collection
c)
public
boolean
equals(java.lang.Object
obj)
Chapter
4.
Java
classes
overview
27
public
java.lang.Object
clone()
public
java.lang.String
toString()
public
int
hashCode()
}
com.tivoli.pd.jutil.PDAttrValues
This
class
represents
the
collection
of
values
for
one
attribute.
Each
value
must
be
a
PDAttrValue.
The
collection
is
unordered
and
does
not
allow
duplicates.
public
class
PDAttrValues
extends
java.util.HashSet
implements
java.lang.Cloneable,
java.io.Serializable{
public
PDAttrValues(com.tivoli.pd.jutil.PDBasicContext
context)
public
PDAttrValues(com.tivoli.pd.jutil.PDBasicContext
context,
java.util.Collection
c)
public
boolean
add(PDAttrValue
value)
public
boolean
add(java.lang.Object
obj)
public
boolean
addAll(java.util.Collection
c)
public
java.lang.Object
clone()
public
boolean
equals(java.lang.Object
obj)
public
java.lang.String
toString()
public
int
hashCode()
public
byte[]
encode()
}
com.tivoli.pd.jutil.PDStatics
This
class
contains
various
constants
used
in
the
PDPermission
class
and
other
associated
classes.
public
class
PDStatics
extends
java.lang.Object
{
public
static
final
java.lang.String
AZN_MOD_SVC_RAD_2AB
public
static
final
java.lang.String
AZN_MOD_RAD_GROUP_NAMES
public
static
final
java.lang.String
AZN_ENT_SVC_PD_POBJ
public
static
final
java.lang.String
AZN_ENT_SVC_PD_POBJ_PATH
public
static
final
java.lang.String
AZN_ENT_SVC_PD_POBJ_REQD_OPS
public
static
final
java.lang.String
AZN_ENT_SVC_PD_POBJ_MATCHES
public
static
final
int
QOP_NONE
public
static
final
int
QOP_INTEGRITY
public
static
final
int
QOP_PRIVACY
public
static
final
int
AZN_VALTYPE_BUFFER
public
static
final
int
AZN_VALTYPE_STRING
public
static
final
int
AZN_VALTYPE_POBJ
public
static
final
int
AZN_VALTYPE_ULONG
public
static
final
int
AZN_PERMISSION_ALLOWED
public
static
final
int
AZN_PERMISSION_DENIED
}
28
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Chapter
5.
Upgrade
considerations
Review
Appendix
B,
“Deprecated
Java
authorization
classes
and
methods,”
on
page
37
before
making
changes
to
an
existing
Java
application.
A
number
of
classes
and
methods
have
been
deprecated
in
this
version
of
Tivoli
Access
Manager.
Administrators
or
application
developers
who
use
existing
Java
applications
built
using
the
authorization
API
provided
in
Tivoli
SecureWay®
Policy
Director
Version
3.8
need
to
be
aware
of
the
following
changes
introduced
in
Tivoli
Access
Manager.
1.
The
authorization
ADK
is
now
called
the
Tivoli
Access
Manager
ADK
and
only
contains
the
Javadoc
information
associated
with
the
Java
classes
and
methods.
The
authorization
API
Java
classes
and
methods
are
provided
as
part
of
the
Tivoli
Access
Manager
Java
runtime
component.
Both
of
these
components
can
be
installed
from
the
Tivoli
Access
Manager
base
product
CD.
2.
The
PD.jar
file
replaces
the
PDPerm.jar
file
that
was
provided
in
Tivoli
SecureWay
Policy
Director.
The
PD.jar
file
contains
the
definitions
for
both
the
authorization
Java
classes
as
well
as
the
administration
Java
classes.
3.
You
no
longer
need
to
copy
the
JAR
files
or
make
changes
to
the
CLASSPATH
environment
variable
to
use
Tivoli
Access
Manager
Java
classes
and
methods.
The
pdjrtecfg
command
line
interface
is
used
to
make
the
Tivoli
Access
Manager
JAR
files
available
to
one
or
more
JREs
on
a
system.
See
the
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
for
information
on
the
pdjrtecfg
command.
4.
In
Tivoli
SecureWay
Policy
Director,
two
pdadmin
commands
had
to
be
entered
on
the
policy
server
before
using
the
SvrSslCfg
class
to
create
configuration
files.
The
SvrSslCfg
class
now
automatically
creates
the
necessary
Tivoli
Access
Manager
user
account
on
the
policy
server.
©
Copyright
IBM
Corp.
2002,,
2003
29
Appendix
A.
com.tivoli.pd.jcfg.SvrSslCfg
This
class
is
used
to
configure,
unconfigure,
and
modify
the
configuration
information
associated
with
a
Tivoli
Access
Manager
Java
application
server.
public
class
SvrSslCfg
extends
java.lang.Object
{
public
static
void
main
(java.lang.String[]
argv)
throws
PDException
}
The
use
of
the
com.tivoli.pd.jcfg.SvrSslCfg
class
can
be
summarized
as
follows:
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
(
config
|
unconfig
|
addsvr
|
rmsvr
|
chgsvr
|
setport
|
setdblisten
|
setdbref
|
replcert
}
-admin_id
admin_user_ID
-admin_pwd
admin_password
-appsvr_id
application_server_name
-appsvr_pwd
application_server_password
-port
port_number
-mode
{
local
|
remote
}
-host
Host_name_of_application_server
-policysvr
policy_server_name:port:rank
[,...]
-authzsvr
authorization_server_name:port:rank
[,...]
-cfg_file
fully_qualified_name_of_configuration_file
-domain
Tivoli_Acccess_Manager_domain
-key_file
fully_qualified_name_of_keystore_file
-msg_id
message_identifier
-dblisten
{
true
|
false
}
-dbrefresh
refresh_interval_in_seconds
-dbdir
name_of_directory_for_local_policy_database
-cfg_action
{
create
|
replace
}
Compatibility
Note:
The
com.tivoli.mts.SvrSslCfg
class
has
been
deprecated
in
Tivoli
Access
Manager.
Existing
applications
should
change
to
use
the
new
com.tivoli.pd.jcfg.SvrSslCfg
class
as
the
deprecated
class
will
be
removed
in
a
future
version
of
the
product.
After
the
successful
configuration
of
a
Tivoli
Access
Manager
Java
application
server,
SvrSslCfg
creates
a
user
account
and
server
entries
representing
the
Java
application
server
in
the
Tivoli
Access
Manager
user
registry.
In
addition,
SvrSslCfg
creates
a
configuration
file
and
a
Java
keystore
file,
which
securely
stores
a
client
certificate,
locally
on
the
application
server.
This
client
certificate
permits
callers
to
make
authenticated
use
of
Tivoli
Access
Manager
services.
Conversely,
unconfiguration
removes
the
user
and
server
entries
from
the
user
registry
and
cleans
up
the
local
configuration
and
keystore
files.
The
contents
of
an
existing
configuration
file
can
be
modified
by
using
the
SvrSslCfg
class.
The
configuration
file
and
the
keystore
file
must
already
exist
when
calling
SvrSslCfg
with
all
options
other
than
–action
config
or
–action
unconfig.
A
complete
list
of
the
actions
available
in
the
SvrSslCfg
class
are
outlined
following
the
description
of
the
parameters
in
Table
3
on
page
32.
Note:
The
following
options
are
parsed
and
processed
into
the
configuration
file,
but
are
otherwise
ignored
in
this
version
of
Tivoli
Access
Manager:
©
Copyright
IBM
Corp.
2002,,
2003
31
v
–port
v
–mode
local
v
–dblisten
v
–dbdir
v
–dbrefresh
Table
3.
Description
of
parameters
for
the
SvrSslCfg
configuration
action.
SvrSslCfg
Parameter
Value
–admin_id
user_ID
A
Tivoli
Access
Manager
user
with
administrative
privileges.
This
parameter
is
required.
–admin_pwd
password
Password
associated
with
the
Tivoli
Access
Manager
administrative
user
specified.
This
parameter
is
required.
–appsvr_id
name
The
name
of
the
application
server.
This
parameter
is
required.
–port
port_number
The
TCP/IP
port
which
the
application
server
listens
to
for
policy
server
notifications.
This
parameter
is
required.
–mode
{
local
|
remote
}
Indicates
whether
the
application
server
processes
requests
remotely
or
locally.
This
parameter
is
required.
–policysvr
hostname:port:rank
[,hostname2:port2:rank2...]
A
list
of
Tivoli
Access
Manager
policy
servers
to
which
the
application
server
can
communicate.
Format
of
this
entry
is
host
name,
TCP/IP
port
number,
and
numeric
rank,
separated
by
colons.
Multiple
servers
can
be
specified
by
separating
them
with
commas.
For
example,
the
following
indicates
two
policy
servers,
both
using
default
TCP/IP
port
7135,
are
available:
primary.myco.com:7135:1,secondary.myco.com:7135:2
This
parameter
is
required.
–authzsvr
hostname:port:rank
[,hostname2:port2:rank2...]
A
list
of
Tivoli
Access
Manager
authorization
servers
to
which
the
application
server
can
communicate.
Format
of
this
entry
is
host
name,
TCP/IP
port
number,
and
numeric
rank,
separated
by
colons.
Multiple
servers
can
be
specified
by
separating
them
with
commas.
For
example,
the
following
indicates
2
authorization
servers,
both
using
default
TCP/IP
port
7136,
are
available:
secazn.myco.com:7136:2,primazn.myco.com:7136:1
This
parameter
is
required.
–cfg_file
file_name
Fully
qualified
name
of
the
configuration
file
on
the
application
server.
SvrSslCfg
–action
config
creates
this
file.
The
filename
should
have
a
.conf
suffix.
You
can
specify
any
valid
name.
This
parameter
is
required.
–key_file
file_name
Fully
qualified
name
of
the
keystore
file
on
the
application
server.
SvrSslCfg
–action
config
creates
this
file.
The
filename
should
have
a
.ks
suffix.
You
can
specify
any
valid
name.
This
parameter
is
required.
32
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Table
3.
Description
of
parameters
for
the
SvrSslCfg
configuration
action.
(continued)
SvrSslCfg
Parameter
Value
–msg_id
message_identifier
An
identifier
that
determines
the
directory
in
which
to
locate
the
trace
and
log
files
that
are
generated
when
using
this
application
server.
This
identifier
is
used
only
if
Tivoli
Common
Directory
logging
is
enabled
for
the
Tivoli
Access
Manager
Java
runtime.
Refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide
for
more
information
on
Tivoli
Common
Directory
logging,
message
files
and
message
file
locations.
This
parameter
is
optional.
There
is
no
default
value.
–domain
domain_name
The
Tivoli
Access
Manager
domain
for
the
application
server.
This
parameter
is
optional.
The
default
value
is
the
local
domain.
–appsvr_pwd
password
The
password
for
the
user
account
in
the
user
registry
associated
with
the
application
server.
This
parameter
is
optional.
If
it
is
specified,
the
password
must
meet
the
current
password
rules
in
effect.
If
it
is
omitted,
a
default
password
is
automatically
generated.
–host
host_name
Host
name
of
the
application
server.
This
parameter
is
optional.
The
default
value
is
the
local
host.
–desc
description
Description
of
the
application
server.
This
parameter
is
optional.
The
default
value
is
empty
(no
description).
–groups
group_names
The
names
of
special
groups
the
application
server
will
be
made
a
member
of.
This
parameter
is
optional.
The
default
value
is
empty
(no
special
groups).
–dblisten
{
true
|
false
}
Indicates
whether
or
not
the
application
server
listens
for
policy
database
updates.
This
parameter
is
optional.
The
default
value
is
true.
This
parameter
is
ignored
when
the
mode
parameter
is
set
to
remote.
–dbdir
directory_name
The
name
of
the
directory
to
be
used
for
the
local
copy
of
the
policy
database.
This
parameter
is
optional.
If
it
is
not
specified,
the
default
directory
is
the
db
directory,
located
just
under
the
Tivoli
Access
Manager
installation
directory:
installation_directory/db
This
parameter
is
ignored
when
the
mode
parameter
is
set
to
remote.
–dbrefresh
number_of_seconds
Indicates
the
time
interval,
in
seconds,
that
the
application
server
polls
the
policy
server
for
policy
database
updates.
This
parameter
is
optional.
Value
must
be
greater
than
or
equal
to
zero.
The
default
value
is
600
seconds,
or
every
10
minutes.
This
parameter
is
ignored
if
the
mode
parameter
is
set
to
remote.
–cfg_action
{
create
|
replace
}
Indicates
whether
the
configuration
and
keystore
files
should
be
created
on
the
application
server
or
replaced.
This
parameter
is
optional.
The
default
action
is
replace.
When
the
create
option
is
specified
but
the
files
already
exist,
an
exception
is
raised.
When
the
replace
option
is
specified,
the
configuration
and
keystore
files
must
already
exist.
Appendix
A.
com.tivoli.pd.jcfg.SvrSslCfg
33
Note:
The
host
name
is
used
to
build
a
unique
name
(identity)
for
the
application.
The
pdadmin
user
list
command
displays
the
application
identity
name
in
the
following
format:
server_name/host_name
Note
that
the
pdadmin
server
list
command
will
display
the
server
name
in
a
slightly
different
format:
server_name-host_name
–action
config
Configures
an
application
server.
Configuring
a
server
creates
user
and
server
information
in
the
user
registry
and
creates
local
configuration
and
keystore
files
on
the
application
server.
Use
the
–action
unconfig
option
to
reverse
this
operation.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
config
-admin_id
admin_user_ID
-admin_pwd
admin_password
-appsvr_id
application_server_name
-appsvr_pwd
application_server_password
-port
port_number
-mode
{
local
|
remote
}
[
-host
Host_name_of_application_server
]
-policysvr
policy_server_name:port:rank
[,...]
-authzsvr
authorization_server_name:port:rank
[,...]
-cfg_file
fully_qualified_name_of_configuration_file
[
-domain
Tivoli_Acccess_Manager_domain
]
-key_file
fully_qualified_name_of_keystore_file
[
-cfg_action
{
create
|
replace
}
]
–action
unconfig
Unconfigures
an
application
server.
Removes
the
user
and
server
information
from
the
user
registry,
deletes
the
local
keystore
file
and
removes
information
for
this
application
from
the
configuration
file
but
does
not
delete
the
configuration
file.
The
unconfiguration
operation
fails
only
if
the
caller
is
unauthorized
or
the
policy
server
cannot
be
contacted.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
unconfig
-admin_id
admin_user_ID
-admin_pwd
admin_password
-appsvr_id
application_server_name
[
-host
host_name_of_application_server
]
-policysvr
policy_server_name:port:rank
[,...]
-cfg_file
fully_qualified_name_of_configuration_file
[
-domain
Tivoli_Acccess_Manager_domain
]
Note:
This
action
can
succeed
when
there
is
no
configuration
file.
When
the
configuration
file
does
not
exist,
it
is
created
and
used
as
a
temporary
file
to
hold
configuration
information
during
the
operation,
and
then
the
file
is
deleted
completely.
–action
addsvr
Adds
a
policy
or
authorization
server
to
the
application
server’s
configuration
file.
34
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
addsvr
{
-policysvr
policy_server_name
|
-authzsvr
authorization_server_name
}
-cfg_file
fully_qualified_name_of_configuration_file
The
configuration
file
must
already
exist
when
this
action
is
called.
–action
rmsvr
Removes
a
policy
or
authorization
server
from
the
application
server’s
configuration
file.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
rmsvr
{
-policysvr
policy_server_name
|
-authzsvr
authorization_server_name
}
-cfg_file
fully_qualified_name_of_configuration_file
–action
chgsvr
Changes
the
port
or
preference
ranking
of
a
policy
or
authorization
server
in
the
application
server’s
configuration
file.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
chgsvr
{
-policysvr
policy_server_name
|
-authzsvr
authorization_server_name
}
-cfg_file
fully_qualified_name_of_configuration_file
The
configuration
file
must
already
exist
when
this
action
is
called.
–action
replcert
Replaces
a
certificate
in
the
application
server’s
keystore
file.
The
certificate
in
the
keystore
expires
based
on
the
certificate
lifetime
set
on
the
policy
server.
After
the
certificate
expires,
the
-action
replcert
option
must
be
used
to
generate
a
new
certificate.
The
-action
replcert
option
also
can
be
used
to
invalidate
an
existing
certificate,
which
is
useful
should
a
certificate
become
compromised.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
replcert
-admin_id
admin_user_ID
-admin_pwd
admin_password
-appsvr_id
application_server_name
-cfg_file
fully_qualified_name_of_configuration_file
The
configuration
file
must
already
exist
when
this
action
is
called.
–action
setport
Sets
the
port
on
which
the
application
server
listens
for
policy
database
notifications.
This
only
updates
the
application
server’s
configuration
file.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
setport
-port
port_number
-cfg_file
fully_qualified_name_of_configuration_file
The
configuration
file
must
already
exist
when
this
action
is
called.
–action
setdbdir
Sets
the
database
directory.
This
only
updates
the
application
server’s
configuration
file.
Appendix
A.
com.tivoli.pd.jcfg.SvrSslCfg
35
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
setdbdir
-dbdir
name_of_directory_for_local_policy_database
-cfg_file
fully_qualified_name_of_configuration_file
The
configuration
file
must
already
exist
when
this
action
is
called.
–action
setdbref
Sets
the
database
refresh
interval,
in
seconds.
This
only
updates
the
application
server’s
configuration
file.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
setdbref
-dbrefresh
refresh_interval_in_seconds
-cfg_file
fully_qualified_name_of_configuration_file
The
configuration
file
must
already
exist
when
this
action
is
called.
–action
setdblisten
Sets
the
application
listening
mode.
This
only
updates
the
application
server’s
configuration
file.
java
com.tivoli.pd.jcfg.SvrSslCfg
-action
setdblisten
-dblisten
{
true
|
false
}
-cfg_file
fully_qualified_name_of_configuration_file
The
configuration
file
must
already
exist
when
this
action
is
called.
36
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Appendix
B.
Deprecated
Java
authorization
classes
and
methods
The
classes
and
methods
listed
in
Table
4
have
been
deprecated
in
IBM
Tivoli
Access
Manager
Version
5.1.
Existing
Java
applications
should
be
changed
to
use
the
replacement
class
or
method
indicated.
Table
4.
Deprecated
Java
Classes
Deprecated
Class
or
Method
Replacement
Class
or
Method
com.tivoli.mts.PDAttrs(
)
com.tivoli.pd.jutil.PDAttrs()
com.tivoli.pd.jutil.PDAttrs.add(java.lang.String,
PDAttrValues)
com.tivoli.pd.jutil.PDAttrs.add(
java.lang.String,
java.util.Collection)
com.tivoli.mts.PDAttrValue(
)
com.tivoli.pd.jutil.PDAttrValue()
com.tivoli.pd.jutil.PDAttrs.get(
java.lang.String)
com.tivoli.pd.jutil.PDAttrs.getValues(java.lang.String)
com.tivoli.mts.PDAttrValues(
)
com.tivoli.pd.jutil.PDAttrValues()
com.tivoli.mts.PDAttrValueList(
)
com.tivoli.pd.jutil.PDAttrValueList()
com.tivoli.mts.PDStatics(
)
com.tivoli.pd.jutil.PDStatics()
com.tivoli.mts.SvrSslCfg
com.tivoli.pd.jcfg.SvrSslCfg
©
Copyright
IBM
Corp.
2002,,
2003
37
Appendix
C.
Notices
This
information
was
developed
for
products
and
services
offered
in
the
U.S.A.
IBM
may
not
offer
the
products,
services,
or
features
discussed
in
this
document
in
other
countries.
Consult
your
local
IBM
representative
for
information
on
the
products
and
services
currently
available
in
your
area.
Any
reference
to
an
IBM
product,
program,
or
service
is
not
intended
to
state
or
imply
that
only
that
IBM
product,
program,
or
service
may
be
used.
Any
functionally
equivalent
product,
program,
or
service
that
does
not
infringe
any
IBM
intellectual
property
right
may
be
used
instead.
However,
it
is
the
user’s
responsibility
to
evaluate
and
verify
the
operation
of
any
non-IBM
product,
program,
or
service.
IBM
may
have
patents
or
pending
patent
applications
covering
subject
matter
described
in
this
document.
The
furnishing
of
this
document
does
not
give
you
any
license
to
these
patents.
You
can
send
license
inquiries,
in
writing,
to:
IBM
Director
of
Licensing
IBM
Corporation
North
Castle
Drive
Armonk,
NY
10504-1785
U.S.A.
For
license
inquiries
regarding
double-byte
(DBCS)
information,
contact
the
IBM
Intellectual
Property
Department
in
your
country
or
send
inquiries,
in
writing,
to:
IBM
World
Trade
Asia
Corporation
Licensing
2-31
Roppongi
3-chome,
Minato-ku
Tokyo
106-0032,
Japan
The
following
paragraph
does
not
apply
to
the
United
Kingdom
or
any
other
country
where
such
provisions
are
inconsistent
with
local
law:
INTERNATIONAL
BUSINESS
MACHINES
CORPORATION
PROVIDES
THIS
PUBLICATION
“AS
IS”
WITHOUT
WARRANTY
OF
ANY
KIND,
EITHER
EXPRESS
OR
IMPLIED,
INCLUDING,
BUT
NOT
LIMITED
TO,
THE
IMPLIED
WARRANTIES
OF
NON-INFRINGEMENT,
MERCHANTABILITY
OR
FITNESS
FOR
A
PARTICULAR
PURPOSE.
Some
states
do
not
allow
disclaimer
of
express
or
implied
warranties
in
certain
transactions,
therefore,
this
statement
may
not
apply
to
you.
This
information
could
include
technical
inaccuracies
or
typographical
errors.
Changes
are
periodically
made
to
the
information
herein;
these
changes
will
be
incorporated
in
new
editions
of
the
publication.
IBM
may
make
improvements
and/or
changes
in
the
product(s)
and/or
the
program(s)
described
in
this
publication
at
any
time
without
notice.
Any
references
in
this
information
to
non-IBM
Web
sites
are
provided
for
convenience
only
and
do
not
in
any
manner
serve
as
an
endorsement
of
those
Web
sites.
The
materials
at
those
Web
sites
are
not
part
of
the
materials
for
this
IBM
product
and
use
of
those
Web
sites
is
at
your
own
risk.
IBM
may
use
or
distribute
any
of
the
information
you
supply
in
any
way
it
believes
appropriate
without
incurring
any
obligation
to
you.
©
Copyright
IBM
Corp.
2002,,
2003
39
Licensees
of
this
program
who
wish
to
have
information
about
it
for
the
purpose
of
enabling:
(i)
the
exchange
of
information
between
independently
created
programs
and
other
programs
(including
this
one)
and
(ii)
the
mutual
use
of
the
information
which
has
been
exchanged,
should
contact:
IBM
Corporation
2Z4A/101
11400
Burnet
Road
Austin,
TX
78758
U.S.A.
Such
information
may
be
available,
subject
to
appropriate
terms
and
conditions,
including
in
some
cases,
payment
of
a
fee.
The
licensed
program
described
in
this
information
and
all
licensed
material
available
for
it
are
provided
by
IBM
under
terms
of
the
IBM
Customer
Agreement,
IBM
International
Program
License
Agreement,
or
any
equivalent
agreement
between
us.
Information
concerning
non-IBM
products
was
obtained
from
the
suppliers
of
those
products,
their
published
announcements
or
other
publicly
available
sources.
IBM
has
not
tested
those
products
and
cannot
confirm
the
accuracy
of
performance,
compatibility
or
any
other
claims
related
to
non-IBM
products.
Questions
on
the
capabilities
of
non-IBM
products
should
be
addressed
to
the
suppliers
of
those
products.
All
statements
regarding
IBM’s
future
direction
or
intent
are
subject
to
change
or
withdrawal
without
notice,
and
represent
goals
and
objectives
only.
This
information
contains
examples
of
data
and
reports
used
in
daily
business
operations.
To
illustrate
them
as
completely
as
possible,
the
examples
include
the
names
of
individuals,
companies,
brands,
and
products.
All
of
these
names
are
fictitious
and
any
similarity
to
the
names
and
addresses
used
by
an
actual
business
enterprise
is
entirely
coincidental.
COPYRIGHT
LICENSE:
This
information
contains
sample
application
programs
in
source
language,
which
illustrate
programming
techniques
on
various
operating
platforms.
You
may
copy,
modify,
and
distribute
these
sample
programs
in
any
form
without
payment
to
IBM,
for
the
purposes
of
developing,
using,
marketing
or
distributing
application
programs
conforming
to
the
application
programming
interface
for
the
operating
platform
for
which
the
sample
programs
are
written.
These
examples
have
not
been
thoroughly
tested
under
all
conditions.
IBM,
therefore,
cannot
guarantee
or
imply
reliability,
serviceability,
or
function
of
these
programs.
You
may
copy,
modify,
and
distribute
these
sample
programs
in
any
form
without
payment
to
IBM
for
the
purposes
of
developing,
using,
marketing,
or
distributing
application
programs
conforming
to
IBM’s
application
programming
interfaces.
If
you
are
viewing
this
information
softcopy,
the
photographs
and
color
illustrations
may
not
appear.
Trademarks
The
following
terms
are
trademarks
or
registered
trademarks
of
International
Business
Machines
Corporation
in
the
United
States,
other
countries,
or
both:
40
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
AIX
DB2
IBM
IBM
logo
OS/390
SecureWay
Tivoli
Tivoli
logo
Universal
Database
WebSphere
z/OS
zSeries
Lotus
is
a
registered
trademark
of
Lotus
Development
Corporation
and/or
IBM
Corporation.
Domino
is
a
trademark
of
International
Business
Machines
Corporation
and
Lotus
Development
Corporation
in
the
United
States,
other
countries,
or
both.
Microsoft
and
Windows
are
trademarks
of
Microsoft
Corporation
in
the
United
States,
other
countries,
or
both.
Java
and
all
Java-based
trademarks
and
logos
are
trademarks
or
registered
trademarks
of
Sun
Microsystems,
Inc.
in
the
United
States
and
other
countries.
UNIX
is
a
registered
trademark
of
The
Open
Group
in
the
United
States
and
other
countries.
Other
company,
product,
and
service
names
may
be
trademarks
or
service
marks
of
others.
Appendix
C.
Notices
41
Glossary
A
access
control.
In
computer
security,
the
process
of
ensuring
that
the
resources
of
a
computer
system
can
be
accessed
only
by
authorized
users
in
authorized
ways.
access
control
list
(ACL).
In
computer
security,
a
list
that
is
associated
with
an
object
that
identifies
all
the
subjects
that
can
access
the
object
and
their
access
rights.
For
example,
an
access
control
list
is
a
list
that
is
associated
with
a
file
that
identifies
the
users
who
can
access
the
file
and
identifies
the
users’
access
rights
to
that
file.
access
permission.
The
access
privilege
that
applies
to
the
entire
object.
action.
An
access
control
list
(ACL)
permission
attribute.
See
also
access
control
list.
ACL.
See
access
control
list.
administration
service.
An
authorization
API
runtime
plug-in
that
can
be
used
to
perform
administration
requests
on
a
Tivoli
Access
Manager
resource
manager
application.
The
administration
service
will
respond
to
remote
requests
from
the
pdadmin
command
to
perform
tasks,
such
as
listing
the
objects
under
a
particular
node
in
the
protected
object
tree.
Customers
may
develop
these
services
using
the
authorization
ADK.
attribute
list.
A
linked
list
that
contains
extended
information
that
is
used
to
make
authorization
decisions.
Attribute
lists
consist
of
a
set
of
name
=
value
pairs.
authentication.
(1)
In
computer
security,
verification
of
the
identity
of
a
user
or
the
user’s
eligibility
to
access
an
object.
(2)
In
computer
security,
verification
that
a
message
has
not
been
altered
or
corrupted.
(3)
In
computer
security,
a
process
that
is
used
to
verify
the
user
of
an
information
system
or
of
protected
resources.
See
also
multi-factor
authentication,
network-based
authentication,
and
step-up
authentication.
authorization.
(1)
In
computer
security,
the
right
granted
to
a
user
to
communicate
with
or
make
use
of
a
computer
system.
(2)
The
process
of
granting
a
user
either
complete
or
restricted
access
to
an
object,
resource,
or
function.
authorization
rule.
See
rule.
authorization
service
plug-in.
A
dynamically
loadable
library
(DLL
or
shared
library)
that
can
be
loaded
by
the
Tivoli
Access
Manager
authorization
API
runtime
client
at
initialization
time
in
order
to
perform
operations
that
extend
a
service
interface
within
the
Authorization
API.
The
service
interfaces
that
are
currently
available
include
Administration,
External
Authorization,
Credentials
modification,
Entitlements
and
PAC
manipulation
interfaces.
Customers
may
develop
these
services
using
the
authorization
ADK.
B
BA.
See
basic
authentication.
basic
authentication.
A
method
of
authentication
that
requires
the
user
to
enter
a
valid
user
name
and
password
before
access
to
a
secure
online
resource
is
granted.
bind.
To
relate
an
identifier
to
another
object
in
a
program;
for
example,
to
relate
an
identifier
to
a
value,
an
address
or
another
identifier,
or
to
associate
formal
parameters
and
actual
parameters.
blade.
A
component
that
provides
application-specific
services
and
components.
business
entitlement.
The
supplemental
attribute
of
a
user
credential
that
describes
the
fine-grained
conditions
that
can
be
used
in
the
authorization
of
requests
for
resources.
C
CA.
See
certificate
authority.
CDAS.
See
Cross
Domain
Authentication
Service.
CDMF.
See
Cross
Domain
Mapping
Framework.
certificate.
In
computer
security,
a
digital
document
that
binds
a
public
key
to
the
identity
of
the
certificate
owner,
thereby
enabling
the
certificate
owner
to
be
authenticated.
A
certificate
is
issued
by
a
certificate
authority.
certificate
authority
(CA).
An
organization
that
issues
certificates.
The
certificate
authority
authenticates
the
certificate
owner’s
identity
and
the
services
that
the
owner
is
authorized
to
use,
issues
new
certificates,
renews
existing
certificates,
and
revokes
certificates
belonging
to
users
who
are
no
longer
authorized
to
use
them.
CGI.
See
common
gateway
interface.
©
Copyright
IBM
Corp.
2002,,
2003
43
cipher.
Encrypted
data
that
is
unreadable
until
it
has
been
converted
into
plain
data
(decrypted)
with
a
key.
common
gateway
interface
(CGI).
An
Internet
standard
for
defining
scripts
that
pass
information
from
a
Web
server
to
an
application
program,
through
an
HTTP
request,
and
vice
versa.
A
CGI
script
is
a
CGI
program
that
is
written
in
a
scripting
language,
such
as
Perl.
configuration.
(1)
The
manner
in
which
the
hardware
and
software
of
an
information
processing
system
are
organized
and
interconnected.
(2)
The
machines,
devices,
and
programs
that
make
up
a
system,
subsystem,
or
network.
connection.
(1)
In
data
communication,
an
association
established
between
functional
units
for
conveying
information.
(2)
In
TCP/IP,
the
path
between
two
protocol
applications
that
provides
reliable
data
stream
delivery
service.
In
the
Internet,
a
connection
extends
from
a
TCP
application
on
one
system
to
a
TCP
application
on
another
system.
(3)
In
system
communications,
a
line
over
which
data
can
be
passed
between
two
systems
or
between
a
system
and
a
device.
container
object.
A
structural
designation
that
organizes
the
object
space
into
distinct
functional
regions.
cookie.
Information
that
a
server
stores
on
a
client
machine
and
accesses
during
subsequent
sessions.
Cookies
allow
servers
to
remember
specific
information
about
clients.
credentials.
Detailed
information,
acquired
during
authentication,
that
describes
the
user,
any
group
associations,
and
other
security-related
identity
attributes.
Credentials
can
be
used
to
perform
a
multitude
of
services,
such
as
authorization,
auditing,
and
delegation.
credentials
modification
service.
An
authorization
API
runtime
plug-in
which
can
be
used
to
modify
a
Tivoli
Access
Manager
credential.
Credentials
modification
services
developed
externally
by
customers
are
limited
to
performing
operation
to
add
and
remove
from
the
credentials
attribute
list
and
only
to
those
attributes
that
are
considered
modifiable.
cross
domain
authentication
service
(CDAS).
A
WebSEAL
service
that
provides
a
shared
library
mechanism
that
allows
you
to
substitute
the
default
WebSEAL
authentication
mechanisms
with
a
custom
process
that
returns
a
Tivoli
Access
Manager
identity
to
WebSEAL.
See
also
WebSEAL.
cross
domain
mapping
framework
(CDMF).
A
programming
interface
that
allows
a
developer
to
customize
the
mapping
of
user
identities
and
the
handling
of
user
attributes
when
WebSEAL
e-Community
SSO
function
are
used.
D
daemon.
A
program
that
runs
unattended
to
perform
continuous
or
periodic
systemwide
functions,
such
as
network
control.
Some
daemons
are
triggered
automatically
to
perform
their
task;
others
operate
periodically.
directory
schema.
The
valid
attribute
types
and
object
classes
that
can
appear
in
a
directory.
The
attribute
types
and
object
classes
define
the
syntax
of
the
attribute
values,
which
attributes
must
be
present,
and
which
attributes
may
be
present
for
the
directory.
distinguished
name
(DN).
The
name
that
uniquely
identifies
an
entry
in
a
directory.
A
distinguished
name
is
made
up
of
attribute:value
pairs,
separated
by
commas.
digital
signature.
In
e-commerce,
data
that
is
appended
to,
or
is
a
cryptographic
transformation
of,
a
data
unit
and
that
enables
the
recipient
of
the
data
unit
to
verify
the
source
and
integrity
of
the
unit
and
to
recognize
potential
forgery.
DN.
See
distinguished
name.
domain.
(1)
A
logical
grouping
of
users,
systems,
and
resources
that
share
common
services
and
usually
function
with
a
common
purpose.
(2)
That
part
of
a
computer
network
in
which
the
data
processing
resources
are
under
common
control.
See
also
domain
name.
domain
name.
In
the
Internet
suite
of
protocols,
a
name
of
a
host
system.
A
domain
name
consists
of
a
sequence
of
subnames
that
are
separated
by
a
delimiter
character.
For
example,
if
the
fully
qualified
domain
name
(FQDN)
of
a
host
system
is
as400.rchland.vnet.ibm.com,
each
of
the
following
is
a
domain
name:
as400.rchland.vnet.ibm.com,
vnet.ibm.com,
ibm.com.
E
EAS.
See
External
Authorization
Service.
encryption.
In
computer
security,
the
process
of
transforming
data
into
an
unintelligible
form
in
such
a
way
that
the
original
data
either
cannot
be
obtained
or
can
be
obtained
only
by
using
a
decryption
process.
entitlement.
A
data
structure
that
contains
externalized
security
policy
information.
Entitlements
contain
policy
data
or
capabilities
that
are
formatted
in
a
way
that
is
understandable
to
a
specific
application.
entitlement
service.
An
authorization
API
runtime
plug-in
which
can
be
used
to
return
entitlements
from
an
external
source
for
a
principal
or
set
of
conditions.
Entitlements
are
normally
application
specific
data
that
will
be
consumed
by
the
resource
manager
application
44
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
in
some
way
or
added
to
the
principal’s
credentials
for
use
further
on
in
the
authorization
process.
Customers
may
develop
these
services
using
the
authorization
ADK.
external
authorization
service.
An
authorization
API
runtime
plug-in
that
can
be
used
to
make
application
or
environment
specific
authorization
decisions
as
part
of
the
Tivoli
Access
Manager
authorization
decision
chain.
Customers
may
develop
these
services
using
the
authorization
ADK.
F
file
transfer
protocol
(FTP).
In
the
Internet
suite
of
protocols,
an
application
layer
protocol
that
uses
Transmission
Control
Protocol
(TCP)
and
Telnet
services
to
transfer
bulk-data
files
between
machines
or
hosts.
G
global
signon
(GSO).
A
flexible
single
sign-on
solution
that
enables
the
user
to
provide
alternative
user
names
and
passwords
to
the
back-end
Web
application
server.
Global
signon
grants
users
access
to
the
computing
resources
they
are
authorized
to
use
—
through
a
single
login.
Designed
for
large
enterprises
consisting
of
multiple
systems
and
applications
within
heterogeneous,
distributed
computing
environments,
GSO
eliminates
the
need
for
users
to
manage
multiple
user
names
and
passwords.
See
also
single
signon.
GSO.
See
global
signon.
H
host.
A
computer
that
is
connected
to
a
network
(such
as
the
Internet
or
an
SNA
network)
and
provides
an
access
point
to
that
network.
Also,
depending
on
the
environment,
the
host
may
provide
centralized
control
of
the
network.
The
host
can
be
a
client,
a
server,
or
both
a
client
and
a
server
simultaneously.
HTTP.
See
Hypertext
Transfer
Protocol.
hypertext
transfer
protocol
(HTTP).
In
the
Internet
suite
of
protocols,
the
protocol
that
is
used
to
transfer
and
display
hypertext
documents.
I
Internet
protocol
(IP).
In
the
Internet
suite
of
protocols,
a
connectionless
protocol
that
routes
data
through
a
network
or
interconnected
networks
and
acts
as
an
intermediary
between
the
higher
protocol
layers
and
the
physical
network.
Internet
suite
of
protocols.
A
set
of
protocols
developed
for
use
on
the
Internet
and
published
as
Requests
for
Comments
(RFCs)
through
the
Internet
Engineering
Task
Force
(IETF).
interprocess
communication
(IPC).
(1)
The
process
by
which
programs
communicate
data
to
each
other
and
synchronize
their
activities.
Semaphores,
signals,
and
internal
message
queues
are
common
methods
of
interprocess
communication.
(2)
A
mechanism
of
an
operating
system
that
allows
processes
to
communicate
with
each
other
within
the
same
computer
or
over
a
network.
IP.
See
Internet
Protocol.
IPC.
See
Interprocess
Communication.
J
junction.
An
HTTP
or
HTTPS
connection
between
a
front-end
WebSEAL
server
and
a
back-end
Web
application
server.
WebSEAL
uses
a
junction
to
provide
protective
services
on
behalf
of
the
back-end
server.
K
key.
In
computer
security,
a
sequence
of
symbols
that
is
used
with
a
cryptographic
algorithm
for
encrypting
or
decrypting
data.
See
private
key
and
public
key.
key
database
file.
See
key
ring.
key
file.
See
key
ring.
key
pair.
In
computer
security,
a
public
key
and
a
private
key.
When
the
key
pair
is
used
for
encryption,
the
sender
uses
the
public
key
to
encrypt
the
message,
and
the
recipient
uses
the
private
key
to
decrypt
the
message.
When
the
key
pair
is
used
for
signing,
the
signer
uses
the
private
key
to
encrypt
a
representation
of
the
message,
and
the
recipient
uses
the
public
key
to
decrypt
the
representation
of
the
message
for
signature
verification.
key
ring.
In
computer
security,
a
file
that
contains
public
keys,
private
keys,
trusted
roots,
and
certificates.
L
LDAP.
See
Lightweight
Directory
Access
Protocol.
lightweight
directory
access
protocol
(LDAP).
An
open
protocol
that
(a)
uses
TCP/IP
to
provide
access
to
directories
that
support
an
X.500
model
and
(b)
does
not
incur
the
resource
requirements
of
the
more
complex
X.500
Directory
Access
Protocol
(DAP).
Applications
that
use
LDAP
(known
as
directory-enabled
applications)
can
use
the
directory
as
a
common
data
store
and
for
retrieving
information
about
people
or
services,
such
as
addresses,
public
keys,
or
service-specific
configuration
parameters.
LDAP
was
originally
specified
in
RFC
Glossary
45
1777.
LDAP
version
3
is
specified
in
RFC
2251,
and
the
IETF
continues
work
on
additional
standard
functions.
Some
of
the
IETF-defined
standard
schemas
for
LDAP
are
found
in
RFC
2256.
lightweight
third
party
authentication
(LTPA).
An
authentication
framework
that
allows
single
sign-on
across
a
set
of
Web
servers
that
fall
within
an
Internet
domain.
LTPA.
See
lightweight
third
party
authentication.
M
management
domain.
The
default
domain
in
which
Tivoli
Access
Manager
enforces
security
policies
for
authentication,
authorization,
and
access
control.
This
domain
is
created
when
the
policy
server
is
configured.
See
also
domain.
management
server.
Obsolete.
See
policy
server.
metadata.
Data
that
describes
the
characteristics
of
stored
data.
migration.
The
installation
of
a
new
version
or
release
of
a
program
to
replace
an
earlier
version
or
release.
multi-factor
authentication.
A
protected
object
policy
(POP)
that
forces
a
user
to
authenticate
using
two
or
more
levels
of
authentication.
For
example,
the
access
control
on
a
protected
resource
can
require
that
the
users
authenticate
with
both
user
name/password
and
user
name/token
passcode.
See
also
protected
object
policy.
multiplexing
proxy
agent
(MPA).
A
gateway
that
accommodates
multiple
client
access.
These
gateways
are
sometimes
known
as
Wireless
Access
Protocol
(WAP)
gateways
when
clients
access
a
secure
domain
using
a
WAP.
Gateways
establish
a
single
authenticated
channel
to
the
originating
server
and
tunnel
all
client
requests
and
responses
through
this
channel.
N
network-based
authentication.
A
protected
object
policy
(POP)
that
controls
access
to
objects
based
on
the
internet
protocol
(IP)
address
of
the
user.
See
also
protected
object
policy.
P
PAC.
See
privilege
attribute
certificate.
permission.
The
ability
to
access
a
protected
object,
such
as
a
file
or
directory.
The
number
and
meaning
of
permissions
for
an
object
are
defined
by
the
access
control
list
(ACL).
See
also
access
control
list.
policy.
A
set
of
rules
that
are
applied
to
managed
resources.
policy
server.
The
Tivoli
Access
Manager
server
that
maintains
the
location
information
about
other
servers
in
the
secure
domain.
polling.
The
process
by
which
databases
are
interrogated
at
regular
intervals
to
determine
if
data
needs
to
be
transmitted.
POP.
See
protected
object
policy.
portal.
An
integrated
Web
site
that
dynamically
produces
a
customized
list
of
Web
resources,
such
as
links,
content,
or
services,
available
to
a
specific
user,
based
on
the
access
permissions
for
the
particular
user.
privilege
attribute
certificate.
A
digital
document
that
contains
a
principal’s
authentication
and
authorization
attributes
and
a
principal’s
capabilities.
privilege
attribute
certificate
service.
An
authorization
API
runtime
client
plug-in
which
translates
a
PAC
of
a
predetermined
format
in
to
a
Tivoli
Access
Manager
credential,
and
vice-versa.
These
services
could
also
be
used
to
package
or
marshall
a
Tivoli
Access
Manager
credential
for
transmission
to
other
members
of
the
secure
domain.
Customers
may
develop
these
services
using
the
authorization
ADK.
See
also
privilege
attribute
certificate.
protected
object.
The
logical
representation
of
an
actual
system
resource
that
is
used
for
applying
ACLs
and
POPs
and
for
authorizing
user
access.
See
also
protected
object
policy
and
protected
object
space.
protected
object
policy
(POP).
A
type
of
security
policy
that
imposes
additional
conditions
on
the
operation
permitted
by
the
ACL
policy
to
access
a
protected
object.
It
is
the
responsibility
of
the
resource
manager
to
enforce
the
POP
conditions.
See
also
access
control
list,
protected
object,
and
protected
object
space.
protected
object
space.
The
virtual
object
representation
of
actual
system
resources
that
is
used
for
applying
ACLs
and
POPs
and
for
authorizing
user
access.
See
also
protected
object
and
protected
object
policy.
private
key.
In
computer
security,
a
key
that
is
known
only
to
its
owner.
Contrast
with
public
key.
public
key.
In
computer
security,
a
key
that
is
made
available
to
everyone.
Contrast
with
private
key.
Q
quality
of
protection.
The
level
of
data
security,
determined
by
a
combination
of
authentication,
integrity,
and
privacy
conditions.
46
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
R
registry.
The
datastore
that
contains
access
and
configuration
information
for
users,
systems,
and
software.
replica.
A
server
that
contains
a
copy
of
the
directory
or
directories
of
another
server.
Replicas
back
up
servers
in
order
to
enhance
performance
or
response
times
and
to
ensure
data
integrity.
resource
object.
The
representation
of
an
actual
network
resource,
such
as
a
service,
file,
and
program.
response
file.
A
file
that
contains
a
set
of
predefined
answers
to
questions
asked
by
a
program
and
that
is
used
instead
of
entering
those
values
one
at
a
time.
role
activation.
The
process
of
applying
the
access
permissions
to
a
role.
role
assignment.
The
process
of
assigning
a
role
to
a
user,
such
that
the
user
has
the
appropriate
access
permissions
for
the
object
defined
for
that
role.
routing
file.
An
ASCII
file
that
contains
commands
that
control
the
configuration
of
messages.
RSA
encryption.
A
system
for
public-key
cryptography
used
for
encryption
and
authentication.
It
was
invented
in
1977
by
Ron
Rivest,
Adi
Shamir,
and
Leonard
Adleman.
The
system’s
security
depends
on
the
difficulty
of
factoring
the
product
of
two
large
prime
numbers.
rule.
One
or
more
logical
statements
that
enable
the
event
server
to
recognize
relationships
among
events
(event
correlation)
and
to
execute
automated
responses
accordingly.
run
time.
The
time
period
during
which
a
computer
program
is
executing.
A
runtime
environment
is
an
execution
environment.
S
scalability.
The
ability
of
a
network
system
to
respond
to
increasing
numbers
of
users
who
access
resources.
schema.
The
set
of
statements,
expressed
in
a
data
definition
language,
that
completely
describe
the
structure
of
a
database.
In
a
relational
database,
the
schema
defines
the
tables,
the
fields
in
each
table,
and
the
relationships
between
fields
and
tables.
secure
sockets
layer
(SSL).
A
security
protocol
that
provides
communication
privacy.
SSL
enables
client/server
applications
to
communicate
in
a
way
that
is
designed
to
prevent
eavesdropping,
tampering,
and
message
forgery.
SSL
was
developed
by
Netscape
Communications
Corp.
and
RSA
Data
Security,
Inc.
security
management.
The
management
discipline
that
addresses
an
organization’s
ability
to
control
access
to
applications
and
data
that
are
critical
to
its
success.
self-registration.
The
process
by
which
a
user
can
enter
required
data
and
become
a
registered
Tivoli
Access
Manager
user,
without
the
involvement
of
an
administrator.
service.
Work
performed
by
a
server.
A
service
can
be
a
simple
request
for
data
to
be
sent
or
stored
(as
with
file
servers,
HTTP
servers,
servers,
and
finger
servers),
or
it
can
be
more
complex
work
such
as
that
of
servers
or
process
servers.
silent
installation.
An
installation
that
does
not
send
messages
to
the
console
but
instead
stores
messages
and
errors
in
log
files.
Also,
a
silent
installation
can
use
response
files
for
data
input.
See
also
response
file.
single
signon
(SSO).
The
ability
of
a
user
to
logon
once
and
access
multiple
applications
without
having
to
logon
to
each
application
separately.
See
also
global
signon.
SSL.
See
Secure
Sockets
Layer.
SSO.
See
Single
Signon.
step-up
authentication.
A
protected
object
policy
(POP)
that
relies
on
a
preconfigured
hierarchy
of
authentication
levels
and
enforces
a
specific
level
of
authentication
according
to
the
policy
set
on
a
resource.
The
step-up
authentication
POP
does
not
force
the
user
to
authenticate
using
multiple
levels
of
authentication
to
access
any
given
resource
but
requires
the
user
to
authenticate
at
a
level
at
least
as
high
as
that
required
by
the
policy
protecting
a
resource.
suffix.
A
distinguished
name
that
identifies
the
top
entry
in
a
locally
held
directory
hierarchy.
Because
of
the
relative
naming
scheme
used
in
Lightweight
Directory
Access
Protocol
(LDAP),
this
suffix
applies
to
every
other
entry
within
that
directory
hierarchy.
A
directory
server
can
have
multiple
suffixes,
each
identifying
a
locally
held
directory
hierarchy.
T
token.
(1)
In
a
local
area
network,
the
symbol
of
authority
passed
successively
from
one
data
station
to
another
to
indicate
the
station
temporarily
in
control
of
the
transmission
medium.
Each
data
station
has
an
opportunity
to
acquire
and
use
the
token
to
control
the
medium.
A
token
is
a
particular
message
or
bit
pattern
that
signifies
permission
to
transmit.
(2)
In
local
area
networks
(LANs),
a
sequence
of
bits
passed
from
one
device
to
another
along
the
transmission
medium.
When
the
token
has
data
appended
to
it,
it
becomes
a
frame.
Glossary
47
trusted
root.
In
the
Secure
Sockets
Layer
(SSL),
the
public
key
and
associated
distinguished
name
of
a
certificate
authority
(CA).
U
uniform
resource
identifier
(URI).
The
character
string
used
to
identify
content
on
the
Internet,
including
the
name
of
the
resource
(a
directory
and
file
name),
the
location
of
the
resource
(the
computer
where
the
directory
and
file
name
exist),
and
how
the
resource
can
be
accessed
(the
protocol,
such
as
HTTP).
An
example
of
a
URI
is
a
uniform
resource
locator,
or
URL.
uniform
resource
locator
(URL).
A
sequence
of
characters
that
represent
information
resources
on
a
computer
or
in
a
network
such
as
the
Internet.
This
sequence
of
characters
includes
(a)
the
abbreviated
name
of
the
protocol
used
to
access
the
information
resource
and
(b)
the
information
used
by
the
protocol
to
locate
the
information
resource.
For
example,
in
the
context
of
the
Internet,
these
are
abbreviated
names
of
some
protocols
used
to
access
various
information
resources:
http,
ftp,
gopher,
telnet,
and
news;
and
this
is
the
URL
for
the
IBM
home
page:
http://www.ibm.com.
URI.
See
uniform
resource
identifier.
URL.
See
uniform
resource
locator.
user.
Any
person,
organization,
process,
device,
program,
protocol,
or
system
that
uses
a
service
provided
by
others.
user
registry.
See
registry.
V
virtual
hosting.
The
capability
of
a
Web
server
that
allows
it
to
appear
as
more
than
one
host
to
the
Internet.
W
Web
Portal
Manager
(WPM).
A
Web-based
graphical
application
used
to
manage
Tivoli
Access
Manager
Base
and
WebSEAL
security
policy
in
a
secure
domain.
An
alternative
to
the
pdadmin
command
line
interface,
this
GUI
enables
remote
administrator
access
and
enables
administrators
to
create
delegated
user
domains
and
assign
delegate
administrators
to
these
domains.
WebSEAL.
A
Tivoli
Access
Manager
blade.
WebSEAL
is
a
high
performance,
multi-threaded
Web
server
that
applies
a
security
policy
to
a
protected
object
space.
WebSEAL
can
provide
single
sign-on
solutions
and
incorporate
back-end
Web
application
server
resources
into
its
security
policy.
WPM.
See
Web
Portal
Manager.
48
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference
Index
Aadding
development
systems
3
application
serverconfiguring
15
applicationsdeploying
3,
5
authorizationnon-Java
2
21
authorization
APIinstalling
2
authorization
server
2
azn_entitlements_get_entitlements()
function
22
Bbuilding
applications
3
Cclasses
PDAttrs
26
PDAttrValue
27
PDAttrValueList
27
PDAttrValues
28
PDLoginModule
25
PDPermission
26
PDPrincipal
25
PDStatics
28
SvrSslCfg
31
com.tivoli.mts.PDAttrs()
37
com.tivoli.mts.SvrSslCfg
37
com.tivoli.nts.PDAttrs.get()
37
com.tivoli.pd.jcfg.SvrSslCfg
class
31
configuration
19
configuring
4
application
server
15
configuring
into
secure
domain
14
credentials
9
Ddefining
10
deploying
an
application
5
deprecated
classes
and
methods
37
com.tivoli.mts.PDAttrs
37
com.tivoli.mts.PDAttrs.get()
37
com.tivoli.mts.PDAttrs()
37
com.tivoli.mts.PDAttrValue
37
com.tivoli.mts.PDAttrValueList
37
com.tivoli.mts.PDAttrValues
37
com.tivoli.mts.PDStaticss
37
com.tivoli.mts.SvrSslCfg
31,
37
development
systems,
adding
3
Eentitlements
22
entitlements
service
plug-in
22
Ffile
10
files,
installation
directories
2
IIBM
Directory
client
3
installation
2
installation
directories
2
installation
requirements
3
JJAAS
9,
19
JAAS
login
fileconfiguring
19
JAAS
model
9
JAAS
policy
10
jaas.policy
10
Java
2
permission
model
9
Java
2
security
8
Java
application
14
Java
classes
2
java
runtime
component
4
java.security
10
Llocal
modeconfiguring
16
LoginModule
9
NNameCallback
9
Oobtaining
9
PPasswordCallback
9
PD.jar
29
PD.jar
file
2
PDAttrs
class
26
PDAttrValue
class
27
PDAttrValueList
class
27
PDAttrValues
class
28
PDLoginModule
11
PDLoginModule
class
25
PDPermission
10
PDPermission
class
26
PDPrincipal
class
25
PDPrincipal.getEntitlements
22
PDStatics
class
28
protected
objects
entitlements
service
22
©
Copyright
IBM
Corp.
2002,,
2003
49
Rregistry,
user
3
related
publications
xii
remote
modeconfiguring
16
requirements,
for
installation
3
resource
managersample
code
20
Ssecure
domain
3
service
plug-ins
22
signed
JAR
files
4
software
requirements
3
SSL
2
SvrSslCfg
14
addsvr
34
chgsvr
35
config
34
configuring
application
server
15
replcert
35
rmsvr
35
setdbdir
35
setdblisten
36
setdbref
36
setport
35
syntax
31
unconfig
34
SvrSslCfg
class
31
adding
a
policy
or
authorization
server
16
changing
a
policy
or
authorization
server
17
configuring
a
server
in
local
mode
16
configuring
a
server
in
remote
mode
16
removing
a
policy
or
authorization
server
17
replacing
a
certificate
17
setting
the
application
listening
mode
18
setting
the
database
directory
17
setting
the
database
refresh
interval
18
setting
the
port
17
unconfiguring
an
application
server
16
Ttroubleshooting
5
Uupgrading
Tivoli
Access
Manager
29
user
authentication
9
user
registry
3
50
IBM
Tivoli
Access
Manager:
Authorization
Java
Classes
Developer
Reference