To develop Java applications that use the Tivoli Access Manager administration
API, you must install and configure the required software.
I. Tivoli Access Manager software requirements
You must install and configure secure domain. If you do not have secure domain
installed, install one before beginning application development. The minimum
installation consists of a single system with the following Tivoli Access Manager
components installed:
1 Tivoli Access Manager runtime environment
2 Tivoli Access Manager Java runtime component
3 Tivoli Access Manager policy server
4 Tivoli Access Manager ADK
If you already have an Tivoli Access Manager secure domain installed and want to
add a development system to the domain, the minimum Tivoli Access Manager
installation consists of the following components:
1 Tivoli Access Manager runtime environment
2 Tivoli Access Manager Java runtime component
3 Tivoli Access Manager ADK
Notes.
1. The installation of Tivoli Access Manager requires the installation of the Tivoli
Access Manager runtime component. This runtime component is not required
for developing or deploying Java applications. In this specific situation, you can
reclaim the disk space that is used by the Tivoli Access Manager ADK and
runtime components while saving the Javadoc HTML information and the
example files from the ADK component.
To reclaim this disk space, copy the Javadoc information, consisting of the
entire AM_BASE/nls/javadocs directory tree, and copy the sample Java
program, in the AM_BASE/example directory tree, to another location on your
development system and then uninstall the Tivoli Access Manager ADK and
runtime components.
2. If you intend to use the Tivoli Access Manager runtime environment for an
administration C API application, you also must install the IBM Directory client
if an LDAP or Lotus
? Domino? server is being used as the user registry in the
secure domain.
II. Configuration of the Java runtime component to a particular Java runtime environment
Configure the Access Manager Runtime for Java component to use the proper JRE
on the system by using the pdjrtecfg command. The Tivoli Access Manager Java
runtime component can be configured to several different JREs on the same
system, if required. See the IBM Tivoli Access Manager for e-business: Installation
Guide for details.
III. Configuration of the Java administration classes
The com.tivoli.pd.jcfg.SvrSslCfg Java class must be used to configure the
administration Java APIs. See the IBM Tivoli Access Manager for e-business:
Authorization Java Classes Developer Reference for details on the SvrSslCfg utility.
Notes:
1. Do not use the svrsslcfg command-line interface to create configuration files
that are to be used with Java applications.
2. The com.tivoli.mts.SvrSslCfg class provided in previous versions of Tivoli
Access Manager and IBM SecureWay? Policy Director has been deprecated. Use
the new com.tivoli.pd.jcfg.SvrSslCfg class instead.
IV. Security requirements
To run a Java application in the context of a Java security manager, the application
must have proper Java permissions to use the administration Java APIs. If the
application is not installed as a Java extension in the JAVA_HOME/lib/ext
directory, an entry must be added to the JAVA_HOME/lib/security/java.policy file.
To grant the necessary permission to the Java applications located in the
/sb/pdsb/export/classes directory, and all its subdirectories, the necessary Java
permissions to use authorization Java classes and methods, add a statement like
the following to the java.policy file:
// Give applications in /sb/pdsb/export/classes and
// its subdirectories access to the Access Manager
// Administration APIs
grant codeBase "file:/sb/pdsb/export/classes/-" {
permission javax.security.auth.AuthPermission "PDAdmin";
};
Invoke administration Java classes and methods from a privileged block,
doPrivileged(), to alleviate the need for the application callers to have this Java
permission as well.
The PD.jar file is signed, but verification of the signing of JAR files is not
supported in this version of Tivoli Access Manager.
1.rhel-server-5.3-x86_64 for java developer(An Tivoli Access Manager secure domain installed on other system,eg. tam host)
(all need patchs can be found in )IBM Tivoli Access Manager Base for Linux on x86 v6.1.1
Tivoli Access Manager runtime environment and Tivoli Access Manager ADK is optional installed;
1. Install ibm-java2-i386-sdk-5.0-5.0.i386.rpm
rpm -ivh libXp-1.0.0-8.i386.rpm
rpm -ivh compat-libstdc++-33-3.2.3-61.i386.rpm
rpm -ivh ibm-java2-i386-sdk-5.0-5.0.i386.rpm
add jdk to environment:
~]# vi .bashrc
JAVA_HOME=/opt/ibm/java2-i386-50/bin
PATH=$JAVA_HOME:$PATH:.
export PATH
~]# source .bashrc
Notes: If you get the following error, you need disable SElinux and reboot system.
~]# java -version
Failed to find VM - aborting
]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
2.Tivoli Access Manager Java runtime component
TAM]# install_amjrte
3.Configuration of the Java administration classes
~]# java com.tivoli.pd.jcfg.SvrSslCfg -action config \
-admin_id sec_master \
-admin_pwd object00 \
-appsvr_id app1 \
-port 33333 \
-mode remote \
-host localhost \
-policysvr tam:7135:1 \
-authzsvr tam:7136:2 \
-cfg_file /opt/PolicyDirector/etc/app1.properties \
-domain Default \
-key_file /var/PolicyDirector/keytab/app1.ks \
-cfg_action create
4.
import java.util.*;
import java.net.URL;
import java.io.*;
import com.tivoli.pd.jutil.PDContext;
import com.tivoli.pd.jutil.PDMessage;
import com.tivoli.pd.jutil.PDMessages;
import com.tivoli.pd.jutil.PDRgyUserName;
import com.tivoli.pd.jutil.PDRgyGroupName;
import com.tivoli.pd.jutil.PDException;
import com.tivoli.pd.jadmin.*;
import com.tivoli.pd.nls.*;
public class PDAdminApp1
{
public static void main(String [] args) throws Exception
{
PDMessages msgs = new PDMessages();
//application name = {appsvrid}-{host}
String prog = "app1-localhost";
String adminName = "sec_master";
char[] adminPassword = "object00".toCharArray();
String configURLStr = "file:///opt/PolicyDirector/etc/app1.properties";
String rgySuffix = "c=us";
Locale locale = new Locale("ENGLISH", "US");
URL configURL = null;
System.out.println("Initializing PDAdmin...\n");
PDAdmin.initialize(prog, msgs);
processMsgs(msgs);
configURL = new URL(configURLStr);
System.out.println("Creating a context...\n");
PDContext ctxt = new PDContext(locale,
adminName,
adminPassword,
configURL);
String group = "TestGroup1";
String rgyGroup = "cn=" + group + "," + rgySuffix;
PDRgyGroupName pdRgyGroupName = new PDRgyGroupName(rgyGroup);
System.out.println("Creating a group...\n");
PDGroup.createGroup(ctxt,
group,
pdRgyGroupName,
null, // description
null, // container
msgs);
processMsgs(msgs);
String name = "DemoUser";
String firstName = "Demo";
String lastName = "User";
String password = "DemoPassword";
String description = "Demo Description";
String rgyName = "cn=" + name + "," + rgySuffix;
PDRgyUserName pdRgyUserName =
new PDRgyUserName(rgyName, firstName, lastName);
boolean ssoUser = false;
boolean pwdPolicy = true;
ArrayList groupList = new ArrayList();
groupList.add(group);
System.out.println("Creating a user...\n");
PDUser.createUser(ctxt,
name,
pdRgyUserName,
description,
password.toCharArray(),
groupList,
ssoUser,
pwdPolicy,
msgs);
processMsgs(msgs);
System.out.println("Getting a user...\n");
PDUser pdUser = new PDUser(ctxt,
name,
msgs);
processMsgs(msgs);
System.out.println("User " + name + ".isAccountValid: " +
pdUser.isAccountValid() + "\n");
System.out.println("Setting the user's account to valid using the instance set method ...\n");
pdUser.setAccountValid(ctxt, true, msgs);
processMsgs(msgs);
if (ctxt != null)
{
ctxt.close();
}
System.out.println("Shutting down PDAdmin...\n");
PDAdmin.shutdown(msgs);
processMsgs(msgs);
}
static void processMsgs(PDMessages msgs)
{
if (msgs.size() > 0)
{
System.out.println("Msgs are: " + msgs + "\n");
msgs.clear();
}
}
}
~]# javac PDAdminApp1
~]# java PDAdminApp1
installed, install one before beginning application development. The minimum
installation consists of a single system with the following Tivoli Access Manager
components installed:
1 Tivoli Access Manager runtime environment
2 Tivoli Access Manager Java runtime component
3 Tivoli Access Manager policy server
4 Tivoli Access Manager ADK
If you already have an Tivoli Access Manager secure domain installed and want to
add a development system to the domain, the minimum Tivoli Access Manager
installation consists of the following components:
1 Tivoli Access Manager runtime environment
2 Tivoli Access Manager Java runtime component
3 Tivoli Access Manager ADK
Notes.
1. The installation of Tivoli Access Manager requires the installation of the Tivoli
Access Manager runtime component. This runtime component is not required
for developing or deploying Java applications. In this specific situation, you can
reclaim the disk space that is used by the Tivoli Access Manager ADK and
runtime components while saving the Javadoc HTML information and the
example files from the ADK component.
To reclaim this disk space, copy the Javadoc information, consisting of the
entire AM_BASE/nls/javadocs directory tree, and copy the sample Java
program, in the AM_BASE/example directory tree, to another location on your
development system and then uninstall the Tivoli Access Manager ADK and
runtime components.
2. If you intend to use the Tivoli Access Manager runtime environment for an
administration C API application, you also must install the IBM Directory client
if an LDAP or Lotus
? Domino? server is being used as the user registry in the
secure domain.
II. Configuration of the Java runtime component to a particular Java runtime environment
Configure the Access Manager Runtime for Java component to use the proper JRE
on the system by using the pdjrtecfg command. The Tivoli Access Manager Java
runtime component can be configured to several different JREs on the same
system, if required. See the IBM Tivoli Access Manager for e-business: Installation
Guide for details.
III. Configuration of the Java administration classes
The com.tivoli.pd.jcfg.SvrSslCfg Java class must be used to configure the
administration Java APIs. See the IBM Tivoli Access Manager for e-business:
Authorization Java Classes Developer Reference for details on the SvrSslCfg utility.
Notes:
1. Do not use the svrsslcfg command-line interface to create configuration files
that are to be used with Java applications.
2. The com.tivoli.mts.SvrSslCfg class provided in previous versions of Tivoli
Access Manager and IBM SecureWay? Policy Director has been deprecated. Use
the new com.tivoli.pd.jcfg.SvrSslCfg class instead.
IV. Security requirements
To run a Java application in the context of a Java security manager, the application
must have proper Java permissions to use the administration Java APIs. If the
application is not installed as a Java extension in the JAVA_HOME/lib/ext
directory, an entry must be added to the JAVA_HOME/lib/security/java.policy file.
To grant the necessary permission to the Java applications located in the
/sb/pdsb/export/classes directory, and all its subdirectories, the necessary Java
permissions to use authorization Java classes and methods, add a statement like
the following to the java.policy file:
// Give applications in /sb/pdsb/export/classes and
// its subdirectories access to the Access Manager
// Administration APIs
grant codeBase "file:/sb/pdsb/export/classes/-" {
permission javax.security.auth.AuthPermission "PDAdmin";
};
Invoke administration Java classes and methods from a privileged block,
doPrivileged(), to alleviate the need for the application callers to have this Java
permission as well.
The PD.jar file is signed, but verification of the signing of JAR files is not
supported in this version of Tivoli Access Manager.
1.rhel-server-5.3-x86_64 for java developer(An Tivoli Access Manager secure domain installed on other system,eg. tam host)
(all need patchs can be found in )IBM Tivoli Access Manager Base for Linux on x86 v6.1.1
Tivoli Access Manager runtime environment and Tivoli Access Manager ADK is optional installed;
1. Install ibm-java2-i386-sdk-5.0-5.0.i386.rpm
rpm -ivh libXp-1.0.0-8.i386.rpm
rpm -ivh compat-libstdc++-33-3.2.3-61.i386.rpm
rpm -ivh ibm-java2-i386-sdk-5.0-5.0.i386.rpm
add jdk to environment:
~]# vi .bashrc
JAVA_HOME=/opt/ibm/java2-i386-50/bin
PATH=$JAVA_HOME:$PATH:.
export PATH
~]# source .bashrc
Notes: If you get the following error, you need disable SElinux and reboot system.
~]# java -version
Failed to find VM - aborting
]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
2.Tivoli Access Manager Java runtime component
TAM]# install_amjrte
3.Configuration of the Java administration classes
~]# java com.tivoli.pd.jcfg.SvrSslCfg -action config \
-admin_id sec_master \
-admin_pwd object00 \
-appsvr_id app1 \
-port 33333 \
-mode remote \
-host localhost \
-policysvr tam:7135:1 \
-authzsvr tam:7136:2 \
-cfg_file /opt/PolicyDirector/etc/app1.properties \
-domain Default \
-key_file /var/PolicyDirector/keytab/app1.ks \
-cfg_action create
4.
import java.util.*;
import java.net.URL;
import java.io.*;
import com.tivoli.pd.jutil.PDContext;
import com.tivoli.pd.jutil.PDMessage;
import com.tivoli.pd.jutil.PDMessages;
import com.tivoli.pd.jutil.PDRgyUserName;
import com.tivoli.pd.jutil.PDRgyGroupName;
import com.tivoli.pd.jutil.PDException;
import com.tivoli.pd.jadmin.*;
import com.tivoli.pd.nls.*;
public class PDAdminApp1
{
public static void main(String [] args) throws Exception
{
PDMessages msgs = new PDMessages();
//application name = {appsvrid}-{host}
String prog = "app1-localhost";
String adminName = "sec_master";
char[] adminPassword = "object00".toCharArray();
String configURLStr = "file:///opt/PolicyDirector/etc/app1.properties";
String rgySuffix = "c=us";
Locale locale = new Locale("ENGLISH", "US");
URL configURL = null;
System.out.println("Initializing PDAdmin...\n");
PDAdmin.initialize(prog, msgs);
processMsgs(msgs);
configURL = new URL(configURLStr);
System.out.println("Creating a context...\n");
PDContext ctxt = new PDContext(locale,
adminName,
adminPassword,
configURL);
String group = "TestGroup1";
String rgyGroup = "cn=" + group + "," + rgySuffix;
PDRgyGroupName pdRgyGroupName = new PDRgyGroupName(rgyGroup);
System.out.println("Creating a group...\n");
PDGroup.createGroup(ctxt,
group,
pdRgyGroupName,
null, // description
null, // container
msgs);
processMsgs(msgs);
String name = "DemoUser";
String firstName = "Demo";
String lastName = "User";
String password = "DemoPassword";
String description = "Demo Description";
String rgyName = "cn=" + name + "," + rgySuffix;
PDRgyUserName pdRgyUserName =
new PDRgyUserName(rgyName, firstName, lastName);
boolean ssoUser = false;
boolean pwdPolicy = true;
ArrayList groupList = new ArrayList();
groupList.add(group);
System.out.println("Creating a user...\n");
PDUser.createUser(ctxt,
name,
pdRgyUserName,
description,
password.toCharArray(),
groupList,
ssoUser,
pwdPolicy,
msgs);
processMsgs(msgs);
System.out.println("Getting a user...\n");
PDUser pdUser = new PDUser(ctxt,
name,
msgs);
processMsgs(msgs);
System.out.println("User " + name + ".isAccountValid: " +
pdUser.isAccountValid() + "\n");
System.out.println("Setting the user's account to valid using the instance set method ...\n");
pdUser.setAccountValid(ctxt, true, msgs);
processMsgs(msgs);
if (ctxt != null)
{
ctxt.close();
}
System.out.println("Shutting down PDAdmin...\n");
PDAdmin.shutdown(msgs);
processMsgs(msgs);
}
static void processMsgs(PDMessages msgs)
{
if (msgs.size() > 0)
{
System.out.println("Msgs are: " + msgs + "\n");
msgs.clear();
}
}
}
~]# javac PDAdminApp1
~]# java PDAdminApp1