Vous êtes sur la page 1sur 70

IBM Tivoli Access Manager

Authorization Java Classes Developer Reference


V ersion 5.1

SC32-1350-00

IBM Tivoli Access Manager

Authorization Java Classes Developer Reference


V ersion 5.1

SC32-1350-00

Note: Before using this information and the product it supports, read the information in Appendix C, Notices, on page 39.

Limited Edition (November 2003) This edition replaces SC32-1141-01. Copyright International Business Machines Corporation 2002,, 2003. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents
Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Who should read this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix What this book contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Release information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Base information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Web security information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Developer references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Technical supplements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Accessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Contacting software support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Conventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi Operating system differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Chapter 1. Introducing the authorization API . . . . . . . . . . . . . . . . . . . . 1


Authorization API components . . . . . . . . . . . Building Java applications with the authorization API . . . IBM Tivoli Access Manager software requirements . . . . JRE requirements . . . . . . . . . . . . . . . Configuring the Java runtime component to a particular Java Security requirements . . . . . . . . . . . . . Deploying a Java authorization API application . . . . . . . . . . . . . . . . . . runtime . . . . . . . . . . . . . . . . . . . . . . . . . . environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 3 3 4 4 5

Chapter 2. Understanding security in IBM Tivoli Access Manager . . . . . . . . . . . 7


Using Java 2 security with IBM Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . 8 Java Authentication and Authorization Service (JAAS) model . . . . . . . . . . . . . . . . . . . 9 Authenticating users and obtaining credentials . . . . . . . . . . . . . . . . . . . . . . . 9 Authorizing access requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 3. Using the authorization API . . . . . . . . . . . . . . . . . . . . . . 13


Configuring a Java application into the secure domain . . . Configuring an application server . . . . . . . . . Unconfiguring an application server . . . . . . . . Adding a policy or authorization server . . . . . . . Removing a policy or authorization server . . . . . . Changing a policy or authorization server . . . . . . Replacing a certificate . . . . . . . . . . . . . Setting the port . . . . . . . . . . . . . . . Setting the database directory . . . . . . . . . . Setting the database refresh interval . . . . . . . . Setting the application listening mode . . . . . . . Configuring the Java Authentication and Authorization Service Creating a login configuration file . . . . . . . . . Specify the login file location . . . . . . . . . . Developing a resource manager . . . . . . . . . . Making authorization decisions outside of Java 2 . . . . . Obtaining entitlements for a specified user . . . . . . .
Copyright IBM Corp. 2002,, 2003

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

14 15 16 16 17 17 17 17 17 18 18 19 19 19 20 21 22

iii

Chapter 4. Java classes overview . . . . . . . . . . . . . . . . . . . . . . . . 25


com.tivoli.mts.PDLoginModule . . com.tivoli.mts.PDPrincipal . . . com.tivoli.mts.PDPermission . . . com.tivoli.pd.jutil.PDAttrs . . . com.tivoli.pd.jutil.PDAttrValue . . com.tivoli.pd.jutil.PDAttrValueList . com.tivoli.pd.jutil.PDAttrValues . com.tivoli.pd.jutil.PDStatics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 25 26 26 27 27 28 28

Chapter 5. Upgrade considerations . . . . . . . . . . . . . . . . . . . . . . . 29 Appendix A. com.tivoli.pd.jcfg.SvrSslCfg . . . . . . . . . . . . . . . . . . . . . 31


action action action action action action action action action action config . unconfig . addsvr . rmsvr . . chgsvr . replcert . setport . setdbdir . setdbref . setdblisten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 34 34 35 35 35 35 35 36 36

Appendix B. Deprecated Java authorization classes and methods . . . . . . . . . . 37 Appendix C. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39


Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

iv

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Figures
1. 2. 3. 4. 5. JAAS login configuration file . . . . . . . . Resource manager task example. . . . . . . Example showing authorization outside of Java 2 . Using the PDPrincipal.getEntitlements method . . Processing protected objects returned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 20 21 22 23

Copyright IBM Corp. 2002,, 2003

vi

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Tables
1. 2. 3. 4. Files associated with the Tivoli Access Manager Java runtime and ADK Sample information used for SvrSslCfg examples . . . . . . . . Description of parameters for the SvrSslCfg configuration action. . . Deprecated Java Classes . . . . . . . . . . . . . . . . components . . . . . . . . . 2 . . . . . . . . . . . . . 14 . . . . . . . . . . . . . 32 . . . . . . . . . . . . . 37

Copyright IBM Corp. 2002,, 2003

vii

viii

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Preface
This reference contains information about how to use Tivoli Access Manager authorization Java classes and methods. This document describes the Java implementation of the Tivoli Access Manager authorization API. See the IBM Tivoli Access Manager for e-business Administration C API Developer Reference for information regarding the C implementation of these APIs.

Who should read this book


This reference is for application programmers implementing programs in the Java programming language that require the use of the authorization functions provided with the IBM Tivoli Access Manager product. Readers should be familiar with the following: v PC and UNIX operating systems v Database architecture and concepts v Security management v Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and Telnet v The user registry that Tivoli Access Manager is configured to use v Lightweight Directory Access Protocol (LDAP) and directory services, if used by your user registry v Authentication and authorization v Secure Sockets Layer (SSL) communications

What this book contains


This reference contains the following chapters and appendixes: v Chapter 1, Introducing the authorization API, on page 1 This chapter provides an overview of the authorization API and its components. v Chapter 2, Understanding security in IBM Tivoli Access Manager, on page 7 This chapter provides an overview of the Java classes and methods. v Chapter 3, Using the authorization API, on page 13 This chapter provides information on configuring the authorization API. v Chapter 4, Java classes overview, on page 25 This chapter provides an overview of the Java classes and methods provided as art of the authorization API. v Chapter 5, Upgrade considerations, on page 29 This chapter outlines considerations for upgrading Java applications from a previous version of Tivoli SecureWay Policy Director or IBM Tivoli Access Manager. v Appendix A, com.tivoli.pd.jcfg.SvrSslCfg, on page 31 This appendix describes com.tivoli.pd.jcfg.SvrSslCfg. This class is used to configure and unconfigure the Tivoli Access Manager Java application. v Appendix B, Deprecated Java authorization classes and methods, on page 37

Copyright IBM Corp. 2002,, 2003

ix

This appendix provides a list of the Java classes and methods that have been deprecated in this version of Tivoli Access Manager. v Appendix C, Notices, on page 39 This appendix provides copyright, legal, and trademark information.

Publications
Review the descriptions of the Tivoli Access Manager library, the prerequisite publications, and the related publications to determine which publications you might find helpful. After you determine the publications you need, refer to the instructions for accessing publications online. Additional information about the IBM Tivoli Access Manager for e-business product itself can be found at: http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/ The Tivoli Access Manager library is organized into the following categories: v Release information v Base information v Web security information v Developer references on page xi v Technical supplements on page xii

Release information
v IBM Tivoli Access Manager for e-business Read This First (GI11-4155-00) Provides information for installing and getting started using Tivoli Access Manager. v IBM Tivoli Access Manager for e-business Release Notes (GI11-4156-00) Provides late-breaking information, such as software limitations, workarounds, and documentation updates.

Base information
v IBM Tivoli Access Manager Base Installation Guide (SC32-1362-00) Explains how to install and configure the Tivoli Access Manager base software, including the Web Portal Manager interface. This book is a subset of IBM Tivoli Access Manager for e-business Web Security Installation Guide and is intended for use with other Tivoli Access Manager products, such as IBM Tivoli Access Manager for Business Integration and IBM Tivoli Access Manager for Operating Systems. v IBM Tivoli Access Manager Base Administration Guide (SC32-1360-00) Describes the concepts and procedures for using Tivoli Access Manager services. Provides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin command.

Web security information


v IBM Tivoli Access Manager for e-business Web Security Installation Guide (SC32-1361-00) Provides installation, configuration, and removal instructions for the Tivoli Access Manager base software as well as the Web Security components. This book is a superset of IBM Tivoli Access Manager Base Installation Guide.

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

v IBM Tivoli Access Manager Upgrade Guide (SC32-1369-00) Explains how to upgrade from Tivoli SecureWay Policy Director Version 3.8 or previous versions of Tivoli Access Manager to Tivoli Access Manager Version 5.1. v IBM Tivoli Access Manager for e-business WebSEAL Administration Guide (SC32-1359-00) Provides background material, administrative procedures, and technical reference information for using WebSEAL to manage the resources of your secure Web domain. v IBM Tivoli Access Manager for e-business IBM WebSphere Application Server Integration Guide (SC32-1368-00) Provides installation, removal, and administration instructions for integrating Tivoli Access Manager with IBM WebSphere Application Server. v IBM Tivoli Access Manager for e-business IBM WebSphere Edge Server Integration Guide (SC32-1367-00) Provides installation, removal, and administration instructions for integrating Tivoli Access Manager with the IBM WebSphere Edge Server application. v IBM Tivoli Access Manager for e-business Plug-in for Web Servers Integration Guide (SC32-1365-00) Provides installation instructions, administration procedures, and technical reference information for securing your Web domain using the plug-in for Web servers. v IBM Tivoli Access Manager for e-business BEA WebLogic Server Integration Guide (SC32-1366-00) Provides installation, removal, and administration instructions for integrating Tivoli Access Manager with BEA WebLogic Server. v IBM Tivoli Access Manager for e-business IBM Tivoli Identity Manager Provisioning Fast Start Guide (SC32-1364-00) Provides an overview of the tasks related to integrating Tivoli Access Manager and Tivoli Identity Manager and explains how to use and install the Provisioning Fast Start collection.

Developer references
v IBM Tivoli Access Manager for e-business Authorization C API Developer Reference (SC32-1355-00) Provides reference material that describes how to use the Tivoli Access Manager authorization C API and the Tivoli Access Manager service plug-in interface to add Tivoli Access Manager security to applications. v IBM Tivoli Access Manager for e-business Authorization Java Classes Developer Reference (SC32-1350-00) Provides reference information for using the Java language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business Administration C API Developer Reference (SC32-1357-00) Provides reference information about using the administration API to enable an application to perform Tivoli Access Manager administration tasks. This document describes the C implementation of the administration API. v IBM Tivoli Access Manager for e-business Administration Java Classes Developer Reference (SC32-1356-00)
Preface

xi

Provides reference information for using the Java language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. v IBM Tivoli Access Manager for e-business Web Security Developer Reference (SC32-1358-00) Provides administration and programming information for the cross-domain authentication service (CDAS), the cross-domain mapping framework (CDMF), and the password strength module.

Technical supplements
v IBM Tivoli Access Manager for e-business Command Reference (SC32-1354-00) Provides information about the command line utilities and scripts provided with Tivoli Access Manager. v IBM Tivoli Access Manager Error Message Reference (SC32-1353-00) Provides explanations and recommended actions for the messages produced by Tivoli Access Manager. v IBM Tivoli Access Manager for e-business Problem Determination Guide (SC32-1352-00) Provides problem determination information for Tivoli Access Manager. v IBM Tivoli Access Manager for e-business Performance Tuning Guide (SC32-1351-00) Provides performance tuning information for an environment consisting of Tivoli Access Manager with the IBM Tivoli Directory server as the user registry.

Related publications
This section lists publications related to the Tivoli Access Manager library. The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: http://www.ibm.com/software/tivoli/library/ The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available, in English only, from the Glossary link on the left side of the Tivoli Software Library Web page http://www.ibm.com/software/tivoli/library/

IBM Global Security Kit


Tivoli Access Manager provides data encryption through the use of the IBM Global Security Kit (GSKit) Version 7.0. GSKit is included on the IBM Tivoli Access Manager Base CD for your particular platform, as well as on the IBM Tivoli Access Manager Web Security CDs, the IBM Tivoli Access Manager Web Administration Interfaces CDs, and the IBM Tivoli Access Manager Directory Server CDs. The GSKit package provides the iKeyman key management utility, gsk7ikm, which is used to create key databases, public-private key pairs, and certificate requests. The following document is available on the Tivoli Information Center Web site in the same section as the IBM Tivoli Access Manager product documentation: v IBM Global Security Kit Secure Sockets Layer and iKeyman Users Guide (SC32-1363-00) Provides information for network or system security administrators who plan to enable SSL communication in their Tivoli Access Manager environment.

xii

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

IBM Tivoli Directory Server


IBM Tivoli Directory Server, Version 5.2, is included on the IBM Tivoli Access Manager Directory Server CD for the desired operating system. Note: IBM Tivoli Directory Server is the new name for the previously released software known as: v IBM Directory Server (Version 4.1 and Version 5.1) v IBM SecureWay Directory Server (Version 3.2.2) IBM Directory Server Version 4.1, IBM Directory Server Version 5.1, and IBM Tivoli Directory Server Version 5.2 are all supported by IBM Tivoli Access Manager Version 5.1. Additional information about IBM Tivoli Directory Server can be found at: http://www.ibm.com/software/network/directory/library/

IBM DB2 Universal Database

IBM DB2 Universal Database Enterprise Server Edition, Version 8.1 is provided on the IBM Tivoli Access Manager Directory Server CD and is installed with the IBM Tivoli Directory Server software. DB2 is required when using IBM Tivoli Directory Server, z/OS, or OS/390 LDAP servers as the user registry for Tivoli Access Manager. Additional information about DB2 can be found at: http://www.ibm.com/software/data/db2/

IBM WebSphere Application Server


IBM WebSphere Application Server, Advanced Single Server Edition 5.0, is included on the IBM Tivoli Access Manager Web Administration Interfaces CD for the desired operating system. WebSphere Application Server enables the support of both the Web Portal Manager interface, which is used to administer Tivoli Access Manager, and the Web Administration Tool, which is used to administer IBM Tivoli Directory Server. IBM WebSphere Application Server Fix Pack 2 is also required by Tivoli Access Manager and is provided on the IBM Tivoli Access Manager WebSphere Fix Pack CD. Additional information about IBM WebSphere Application Server can be found at: http://www.ibm.com/software/webservers/appserv/infocenter.html

IBM Tivoli Access Manager for Business Integration


IBM Tivoli Access Manager for Business Integration, available as a separately orderable product, provides a security solution for IBM MQSeries, Version 5.2, and IBM WebSphere MQ for Version 5.3 messages. IBM Tivoli Access Manager for Business Integration allows WebSphere MQSeries applications to send data with privacy and integrity by using keys associated with sending and receiving applications. Like WebSEAL and IBM Tivoli Access Manager for Operating Systems, IBM Tivoli Access Manager for Business Integration, is one of the resource managers that use the services of IBM Tivoli Access Manager. Additional information about IBM Tivoli Access Manager for Business Integration can be found at: http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
Preface

xiii

The following documents associated with IBM Tivoli Access Manager for Business Integration Version 5.1 are available on the Tivoli Information Center Web site: v IBM Tivoli Access Manager for Business Integration Administration Guide (SC23-4831-01) v IBM Tivoli Access Manager for Business Integration Problem Determination Guide (GC23-1328-00) v IBM Tivoli Access Manager for Business Integration Release Notes (GI11-0957-01) v IBM Tivoli Access Manager for Business Integration Read This First (GI11-4202-00)

IBM Tivoli Access Manager for WebSphere Business Integration Brokers


IBM Tivoli Access Manager for WebSphere Business Integration Brokers, available as part of IBM Tivoli Access Manager for Business Integration, provides a security solution for WebSphere Business Integration Message Broker, Version 5.0 and WebSphere Business Integration Event Broker, Version 5.0. IBM Tivoli Access Manager for WebSphere Business Integration Brokers operates in conjunction with Tivoli Access Manager to secure JMS publish/subscribe applications by providing password and credentials-based authentication, centrally-defined authorization, and auditing services. Additional information about IBM Tivoli Access Manager for WebSphere Integration Brokers can be found at: http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/ The following documents associated with IBM Tivoli Access Manager for WebSphere Integration Brokers, Version 5.1 are available on the Tivoli Information Center Web site: v IBM Tivoli Access Manager for WebSphere Business Integration Brokers Administration Guide (SC32-1347-00) v IBM Tivoli Access Manager for WebSphere Business Integration Brokers Release Notes (GI11-4154-00) v IBM Tivoli Access Manager for Business Integration Read This First (GI11-4202-00)

IBM Tivoli Access Manager for Operating Systems


IBM Tivoli Access Manager for Operating Systems, available as a separately orderable product, provides a layer of authorization policy enforcement on UNIX systems in addition to that provided by the native operating system. IBM Tivoli Access Manager for Operating Systems, like WebSEAL and IBM Tivoli Access Manager for Business Integration, is one of the resource managers that use the services of IBM Tivoli Access Manager. Additional information about IBM Tivoli Access Manager for Operating Systems can be found at: http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/ The following documents associated with IBM Tivoli Access Manager for Operating Systems Version 5.1 are available on the Tivoli Information Center Web site: v IBM Tivoli Access Manager for Operating Systems Installation Guide (SC23-4829-00) v IBM Tivoli Access Manager for Operating Systems Administration Guide (SC23-4827-00)

xiv

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

v IBM Tivoli Access Manager for Operating Systems Problem Determination Guide (SC23-4828-00) v IBM Tivoli Access Manager for Operating Systems Release Notes (GI11-0951-00) v IBM Tivoli Access Manager for Operating Systems Read Me First (GI11-0949-00)

IBM Tivoli Identity Manager


IBM Tivoli Identity Manager Version 4.5, available as a separately orderable product, enables you to centrally manage users (such as user IDs and passwords) and provisioning (that is providing or revoking access to applications, resources, or operating systems.) Tivoli Identity Manager can be integrated with Tivoli Access Manager through the use of the Tivoli Access Manager Agent. Contact your IBM account representative for more information about purchasing the Agent. Additional information about IBM Tivoli Identity Manager can be found at: http://www.ibm.com/software/tivoli/products/identity-mgr/

Accessing publications online


The publications for this product are available online in Portable Document Format (PDF) or Hypertext Markup Language (HTML) format, or both in the Tivoli software library: http://www.ibm.com/software/tivoli/library To locate product publications in the library, click the Product manuals link on the left side of the library page. Then, locate and click the name of the product on the Tivoli software information center page. Product publications include release notes, installation guides, users guides, administrators guides, and developers references. Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you click File Print).

Accessibility
Accessibility features help a user who has a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You also can use the keyboard instead of the mouse to operate all features of the graphical user interface.

Contacting software support


Before contacting IBM Tivoli Software Support with a problem, refer to the IBM Tivoli Software Support site by clicking the Tivoli support link at the following Web site: http://www.ibm.com/software/support/ If you need additional help, contact software support by using the methods described in the IBM Software Support Guide at the following Web site: http://techsupport.services.ibm.com/guides/handbook.html The guide provides the following information: v Registration and eligibility requirements for receiving support v Telephone numbers, depending on the country in which you are located
Preface

xv

v A list of information you should gather before contacting customer support

Conventions used in this book


This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths.

Typeface conventions
The following typeface conventions are used in this reference: Bold Lowercase commands or mixed case commands that are difficult to distinguish from surrounding text, keywords, parameters, options, names of Java classes, and objects are in bold. Variables, titles of publications, and special words or phrases that are emphasized are in italic.

Italic

Monospace Code examples, command lines, screen output, file and directory names that are difficult to distinguish from surrounding text, system messages, text that the user must type, and values for arguments or command options are in monospace.

Operating system differences


This book uses the UNIX convention for specifying environment variables and for directory notation. When using the Windows command line, replace $variable with %variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. If you are using the bash shell on a Windows system, you can use the UNIX conventions.

xvi

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Chapter 1. Introducing the authorization API


The IBM Tivoli Access Manager (Tivoli Access Manager) Java runtime component includes the Java language version of a subset of the Tivoli Access Manager authorization API. The authorization API consists of a set of classes and methods that provide Java applications with the ability to interact with Tivoli Access Manager to make authentication and authorization decisions. Application developers can use the Javadoc information provided with the Tivoli Access Manager application developer kit (ADK) along with this book and other Java reference materials, to add Tivoli Access Manager authorization and security services to new or existing Java applications. Application developers updating an existing Tivoli Access Manager application should check Appendix B, Deprecated Java authorization classes and methods, on page 37 before making changes. Note: If you are familiar with the authorization API Java classes provided in Tivoli SecureWay Policy Director Version 3.8, see Chapter 5, Upgrade considerations, on page 29 for important information. This chapter contains the following topics: v Authorization API components on page 2 v Building Java applications with the authorization API on page 3 v Deploying a Java authorization API application on page 5

Copyright IBM Corp. 2002,, 2003

Authorization API components


The authorization API Java classes are installed as part of the Tivoli Access Manager Java runtime component. These classes communicate directly with the Tivoli Access Manager authorization server by establishing an authenticated, Secure Sockets Layer (SSL) session with the authorization server process. The authorization server services these requests in the same manner that it services requests from the authorization C API. Table 1 lists the files related to the authorization API that are installed as part of the Tivoli Access Manager Java runtime component. The Javadoc information, even though it is installed as part of the Tivoli Access Manager ADK component, is listed in the table for completeness.
Table 1. Files associated with the Tivoli Access Manager Java runtime and ADK components Directory JAVA_HOME/lib/ext PD.jar File File Description The Java Archive (JAR) file containing the classes and methods associated with both the authorization API and the administration API. The JAR file encapsulating the Java Secure Socket Extension (JSSE) support which provides a Java implementation of SSL. The JAR files comprising part of the Java Cryptography Extension (JCE).

ibmjsse.jar

ibmjcefw.jar ibmjceprovider.jar local_policy.jar US_export_policy.jar ibmpkcs.jar

The JAR file containing the Public Key Cryptography Standard (PKCS) support. The JAR file encapsulating the Java Authentication and Authorization Service (JAAS). Javadoc HTML documentation for the Java classes and methods provided with the Tivoli Access Manager Java runtime component.

jaas.jar

AM_BASE/nls/javadocs index.html /pdjrte (and many others)

Note: The PD.jar file replaces the PDPerm.jar file that was provided in Tivoli SecureWay Policy Director Version 3.8. To make the JAR files listed in Table 1 available to a particular JRE, see Configuring the Java runtime component to a particular Java runtime environment on page 4.

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Building Java applications with the authorization API


To develop Java applications that use the Tivoli Access Manager authorization API, you must install and configure the required software.

IBM Tivoli Access Manager software requirements


You must install and configure a Tivoli Access Manager secure domain. If you do not have a Tivoli Access Manager secure domain installed, install one before beginning application development. The minimum installation consists of a single system with the following Tivoli Access Manager components installed: v Tivoli Access Manager runtime environment (see Note 1 on page 3) v Tivoli Access Manager Java runtime component v Tivoli Access Manager policy server v Tivoli Access Manager authorization server v Tivoli Access Manager ADK If you already have a Tivoli Access Manager secure domain installed and want to add a development system to the domain, the minimum Tivoli Access Manager installation consists of the following components: v Tivoli Access Manager runtime environment (see Note 1 on page 3) v Tivoli Access Manager Java runtime component v Tivoli Access Manager ADK For Tivoli Access Manager installation instructions, refer to the section of the IBM Tivoli Access Manager Base Installation Guide for your operating system platform. Notes: 1. The Tivoli Access Manager runtime environment component is not needed for developing or deploying a Tivoli Access Manager Java application. The prerequisite checking for the Tivoli Access Manager ADK component is in error and erroneously requires that the Tivoli Access Manager runtime component be installed, even if you are developing only Java applications and simply need the Javadoc information and the example files from the ADK component. To save disk space, you can copy the Javadoc HTML information, consisting of the entire AM_BASE/nls/javadocs directory tree, to another location on your development system and then uninstall the Tivoli Access Manager ADK and runtime components. Only the Tivoli Access Manager Java runtime component is necessary for running Java applications. 2. If you intend to use the Tivoli Access Manager runtime environment for an authorization C API application, you also must install the IBM Directory client if an LDAP or Lotus Domino server is being used as the user registry in the secure domain.

JRE requirements
On those operating system platforms that support the Tivoli Access Manager authorization API Java classes and methods, the base installation CD contains an optionally installable JRE. You also can choose to use any of the supported JREs listed in the IBM Tivoli Access Manager for e-business Release Notes for developing and deploying your Tivoli Access Manager Java applications. After you have installed a suitable JRE, configure it for use with Tivoli Access Manager as outlined in the next section, Configuring the Java runtime component to a particular Java runtime environment on page 4.
Chapter 1. Introducing the authorization API

Configuring the Java runtime component to a particular Java runtime environment


Configure the Tivoli Access Manager Java runtime component to use the proper JRE on the system by using the pdjrtecfg command. The pdjrtecfg command copies the Tivoli Access Manager JAR files to the JAVA_HOME/lib/ext directory of the JRE, automatically making the Tivoli Access Manager classes and methods available. The CLASSPATH in your environment does not need to be modified. The Tivoli Access Manager Java runtime component can be configured to several different JREs on the same system, if desired. See the IBM Tivoli Access Manager for e-business Command Reference for details.

Security requirements
The PD.jar file is signed and verified in this version of Tivoli Access Manager. The SvrSslCfg Java class (com.tivoli.pd.jcfg.SvrSslCfg) must be used to create configuration files that are to be used by Java applications. See Configuring a Java application into the secure domain on page 14 for details on using the SvrSslCfg class. Note: The svrsslcfg command line interface and the SvrSslCfg Java utility are not interchangeable. Do not use the svrsslcfg command line interface to create configuration files that are to be used with Java applications. Do not use the SvrSslCfg Java class to create configuration files for use by C applications.

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Deploying a Java authorization API application


Once you have developed and tested your Java application that uses the Tivoli Access Manager authorization API, you can deploy the application to systems that are configured as part of a Tivoli Access Manager secure domain. The Tivoli Access Manager Java runtime component is the only Tivoli Access Manager component that must be installed on a system to run a Tivoli Access Manager Java application. The Tivoli Access Manager runtime component is not needed for running Java applications. Note: Information on installing the Tivoli Access Manager Java runtime component can be found in the IBM Tivoli Access Manager Base Installation Guide. For information on troubleshooting Java applications with Tivoli Access Manager, see the IBM Tivoli Access Manager for e-business Problem Determination Guide.

Chapter 1. Introducing the authorization API

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Chapter 2. Understanding security in IBM Tivoli Access Manager


The IBM Tivoli Access Manager (Tivoli Access Manager) authorization Java classes provide an implementation of Java security code that is fully compliant with the Java 2 security model and the Java Authentication and Authorization Service (JAAS). The Tivoli Access Manager authorization Java classes are described in the following sections: v Using Java 2 security with IBM Tivoli Access Manager on page 8 v Java Authentication and Authorization Service (JAAS) model on page 9

Copyright IBM Corp. 2002,, 2003

Using Java 2 security with IBM Tivoli Access Manager


The Java 2 security architecture is policy-based, and allows for fine-grained access control. When code is loaded, it is assigned permissions based on the security policy currently in effect. Each permission specifies a permitted access to a particular resource, such as read access to a specified file, or connect access to a specified host and port. The policy specifies which permissions are available for code from various signers and locations. The policy can be initialized from an external configuration file. Code can access a resource only if the permission that guards the resource gives the code explicit permission. These new concepts of permission and policy enable the Java 2 to offer fine-grained, highly configurable, flexible, and extensible access control. Such access control can now be specified for all Java code, including applications, beans, and servlets. The Tivoli Access Manager authorization server provides an SSL-based access mode for handling remote authorization calls. The Tivoli Access Manager Java authorization API uses this socket-based capability to provide functionality equivalent to that provided in the authorization C API by the azn_decision_access_allowed() and azn_decision_access_allowed_ext() functions. The azn_decision_access_allowed() function requires the following information: v Authentication information v Resource name v Access mode The Java 2 permission model provides the resource name and the access mode. The Java Authentication and Authorization Service (JAAS) extensions to the Java 2 model provide the authentication information. Tivoli Access Manager functions as a back-end for normal Java 2 permission checks by providing: v A custom JAAS LoginModule that manufactures authentication credentials. v A custom permission class that knows how to locate and call Tivoli Access Manager. Note: Tivoli Access Manager Java authorization servers operate as remote mode servers, even when configured as local mode servers. Local cache mode is not supported by the Tivoli Access Manager Java authorization API.

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Java Authentication and Authorization Service (JAAS) model


The Java 2 permission model takes into account the following information: v The physical origin (the directory or URL) of the classes that are currently active. v The logical origin of those classes. v The identity of the organization that produced the classes, as proved by digital signature. This model serves well the browsers that first popularized Java, as it deals effectively with the issues of mobile code. JAAS augments the current Java 2 runtime to add knowledge of the user who is trying to run the application. This knowledge provides the authentication information needed when implementing the security model. JAAS augments the Java 2 security model to enable the following features: v Specification of permissions based on a users identity. v Enforcement of those permissions at application runtime. These two features provide the authorization functionality needed when implementing the security model. The following sections describe how Tivoli Access Manager authorization Java Classes use the JAAS model: v Authenticating users and obtaining credentials on page 9 v Authorizing access requests on page 10

Authenticating users and obtaining credentials


The Tivoli Access Manager Java-based authentication feature is built around the Java Authentication and Authorization Services (JAAS) model. Note: More information on the JAAS can be found at this Web site: http://java.sun.com/products/jaas Tivoli Access Manager provides one JAAS LoginModule. You can use the module in two different ways. You can use it to authenticate a user and obtain the users credentials. Alternatively, you can use it just to obtain the users credentials.

Authenticating with a user name and password


In order to authenticate a user, the LoginModule requires that the calling application provide the following: v A principal name, specified as either a short name or an X.500 name (DN) v A password The LoginModule authenticates the principal and returns the Tivoli Access Manager credential. The LoginModule expects the calling application to provide the following information: v The user name, through a javax.security.auth.callback.NameCallback v The password, through a javax.security.auth.callback.PasswordCallback. When the Tivoli Access Manager credential is successfully retrieved, the JAAS LoginModule creates a Subject and a PDPrincipal.

Chapter 2. Understanding security in IBM Tivoli Access Manager

Retrieving credentials without authenticating


To retrieve credentials without authenticating, the calling application can call the JAAS Login Module with only a principal name as a short name or an X.500 name (DN). The LoginModule will expect the calling application to provide the user name through a javax.security.auth.callback.NameCallback.

Using the login configuration file


You can use an entry in the login configuration file to specify which of two login modes your application uses. You can configure the module to either require both a user name and a password, or just a user name. This configuration takes the form of an optional keyword, nameOnly=true. If nameOnly is omitted or specified to be false, both the user name and the password are required.

Authorizing access requests


The Tivoli Access Manager authorization Java classes are built around JAAS and the Java 2 security model. The Tivoli Access Manager API closely follows the Java 2 permission model. Note: For more information on the Java 2 security model, see: http://java.sun.com/j2se/1.3/docs/guide/security/index.html The Tivoli Access Manager authorization API Java classes provide a new permission class named PDPermission. This class extends the abstract class com.ibm.IBMPermission, which extends the abstract class java.security.Permission. PDPermission establishes the SSL-protected socket communications protocol which is used to talk to Tivoli Access Manager. An entry needs to be made in the JAAS policy file to insure that the JAAS security code calls the implies() method in the PDPermission class described below. This entry could be made specific to particular codebases, as desired. For Java 1.3.X you must define your JAAS policy in its own file and then specify the URL in the java.security file using the property auth.policy.url.X (where X is an integer). For example:
auth.policy.url.1=file:${java.home}/lib/security/jaas.policy

Alternatively, you can use the Java interpreters D flag to specify the JAAS policy file. For example:
java -Dauth.policy.url.1=file:/opt/PolicyDirector/etc/jaas.policy

Note: For Java 1.4, you can specify the JAAS policy directly in the java.policy file found in java_home/lib/security. You can also use the same method as for Java 1.3.X.
grant signedBy xxx codeBase file:/E:/Program Files/aaa/bbb/ccc principal com.tivoli.mts.PDPrincipal * { permission com.tivoli.mts.PDPermission ignoreme "a"; };

The contents of the action string ignoreme above are unimportant because the PDPermission class ignores them. This is because Tivoli Access Manager acts as

10

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

the repository for security policy. The intent of this entry is to get the Java security code to call the implies() method when some resource manager checks to see if a permission is held. The PDPermission class implements a constructor plus the following methods: implies() Checks whether Tivoli Access Manager grants the specified permissions. equals() Determines if two PDPermission objects are equal. getActions() Returns the canonical string representation of the actions. hashCode() Returns the hash code value for the object. The implies() method flow consists of the following steps: 1. Use the static getSubject() method to retrieve the current Subject. (Subject was created by the PDLoginModule class, and placed on the current thread of execution by the resource manager.) 2. If the Subject contains a Principal of type com.tivoli.mts.PDPrincipal, then the appropriate credentials are secured for the call to Tivoli Access Manager. The example below illustrates one way a resource manager, such as a Web server or Enterprise Java Beans container, would place the Subject on the current thread of execution.
Subject.doAs(whoami, new java.security.PrivilegedAction() { public java.lang.Object run() {} });

At this point the PDPermission class has all the information required to make the authorization call to Tivoli Access Manager. The code sample below shows a typical authorization check that invokes the Tivoli Access Manager through the PDPermission class implementation. The checkPermission() method returns quietly unless it fails, in which case it throws a java.lang.SecurityException.
PDPermission perm = new PDPermission(/MyResourceManager/private, [simple]rT[newActionGroup1]Z); SecurityManager.checkPermission(perm);

Chapter 2. Understanding security in IBM Tivoli Access Manager

11

12

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Chapter 3. Using the authorization API


This chapter covers the following topics: v Configuring a Java application into the secure domain on page 14 v Configuring the Java Authentication and Authorization Service on page 19 v Developing a resource manager on page 20 v Making authorization decisions outside of Java 2 on page 21 v Obtaining entitlements for a specified user on page 22

Copyright IBM Corp. 2002,, 2003

13

Configuring a Java application into the secure domain


Java applications that use Tivoli Access Manager security must be configured into a Tivoli Access Manager secure domain. Tivoli Access Manager provides a utility class called com.tivoli.pd.jcfg.SvrSslCfg that can be used to accomplish the necessary configuration and unconfiguration tasks. This section describes those tasks, and provides example command line syntax for each task. You can use SvrSslCfg to accomplish the following tasks: v v v v v v v v v v Configuring an application server on page 15 Unconfiguring an application server on page 16 Adding a policy or authorization server on page 16 Removing a policy or authorization server on page 17 Changing a policy or authorization server on page 17 Replacing a certificate on page 17 Setting the port on page 17 Setting the database directory on page 17 Setting the database refresh interval on page 18 Setting the application listening mode on page 18

The examples in this chapter use the values shown in Table 2.


Table 2. Sample information used for SvrSslCfg examples Information Administrator user ID Administrator password Policy server, TCP/IP communications port number, and rank (default port is 7135) sec_master secpw ampolicy.myco.com:7135:1 This entry can also be used to specify a policy server proxy. The location, port, and rank of the policy server proxy must be specified. The default port for a proxy is 7138. amazn.myco.com:7136:1 Value

Authorization server, TCP/IP communications port number, and rank (default port is 7136) Host name of Java application system

jsys.myco.com

TCP/IP port on which the application server 999 listens for communications from the policy server Application server password Tivoli Access Manager application ID pw PDPermissionjapp The application ID must be unique. Other instances of the application running on this or other systems must each be given a unique ID. Tivoli Access Manager domain mydomain

14

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Table 2. Sample information used for SvrSslCfg examples (continued) Information Configuration file Value c:\am\config_file.conf Note that SvrSslCfg creates this configuration file when called with action config. When SvrSslCfg is called with other options (for example, action addsvr), the configuration file is expected to already exist. Keystore file c:\am\keystore_file.ks Note that SvrSslCfg creates this keystore file when called with action config. When SvrSslCfg is called with other options (for example, action addsvr), the keystore file is expected to already exist.

A detailed command reference for the SvrSslCfg class can be found in Appendix A, com.tivoli.pd.jcfg.SvrSslCfg, on page 31. Compatibility Note: The com.tivoli.mts.SvrSslCfg class has been deprecated. The new com.tivoli.pd.jcfg.SvrSslCfg class does not support either of the positional parameter formats used in Tivoli SecureWay Policy Director Version 3.8 or Tivoli Access Manager Version 3.9. Existing Java applications need to be modified to use the new class.

Configuring an application server


Tivoli Access Manager uses a self-generated and self-signed certificate to authenticate its Secure Sockets Layer (SSL) communications. The Tivoli Access Manager authorization API Java classes must be able to determine the certificate that Tivoli Access Manager is using in order to establish its SSL communication. You also must establish an identity for the Java application. The SvrSslCfg class is used to create a Tivoli Access Manager user account for an application server and to store the servers configuration and certificate information in local configuration and keystore files. After obtaining the necessary information, use the SvrSslCfg option -action config to create the Tivoli Access Manager application name, the configuration file, and the keystore file. Configuring an application server creates user and server information in the user registry as well as creates local configuration and keystore files. When using -action config, you must also specify whether you are creating or replacing the configuration and keystore files. The -cfg_action create option is used to initially create the configuration and keystore files. Use -cfg_action replace if these files already exist. If the -cfg_action create option is used and the configuration or keystore files already exist, an exception is thrown. Tivoli Access Manager supports application servers in either remote mode or local mode. A sample configuration command for each mode is shown below.

Chapter 3. Using the authorization API

15

Configuring remote mode


Based on the sample information shown in Table 2 on page 14, the command to establish an SSL connection between japp.myco.com and the Tivoli Access Manager secure domain, in remote mode, could be as follows:
java com.tivoli.pd.jcfg.SvrSslCfg -action config \ -admin_id sec_master -admin_pwd secpw \ -appsvr_id PDPermissionjapp -appsvr_pwd pw -host jsys.myco.com \ -mode remote -port 999 -policysvr ampolicy.myco.com:7135:1 \ -authzsvr amazn.myco.com:7136:1 -cfg_file c:/am/config_file.conf \ -key_file c:/am/keystore_file.ks -domain mydomain -cfg_action create

Compatibility Note: In Tivoli SecureWay Policy Director Version 3.8, the arguments for the deprecated com.tivoli.mts.SvrSslCfg class did not allow the specification of the configuration and keystore files and required that the account for the application be created on the policy server prior to invoking the class. In Tivoli Access Manager. These are now supported in one operation using the com.tivoli.pd.jcfg.SvrSslCfg class.

Configuring local mode


Based on the sample information shown in Table 2 on page 14, the command to establish an SSL connection between the Java application and Tivoli Access Manager secure domain in local mode might be as follows:
java com.tivoli.pd.jcfg.SvrSslCfg -action config \ -admin_id sec_master -admin_pwd secpw \ -appsvr_id PDPermissionjapp -host jsys.myco.com \ -mode local -port 999 -policysvr ampolicy.myco.com:7135:1 \ -authzsvr amazn.myco.com:7136:1 -cfg_file c:/am/config_file.conf \ -key_file c:/am/keystore_file.ks -domain mydomain -cfg_action create

Note: Tivoli Access Manager Java authorization servers operate as remote mode servers, even when configured as local mode servers. Local cache mode is not supported by the Tivoli Access Manager Java authorization API. Note also that local mode was not available in Tivoli SecureWay Policy Director Version 3.8 or Tivoli Access Manager Version 3.9.

Unconfiguring an application server


The -action unconfig option removes the user and server information from the user registry, deletes the local keystore file and removes information for this application from the configuration file but does not delete the configuration file.
java com.tivoli.pd.jcfg.SvrSslCfg -action unconfig \ -admin_id sec_master -admin_pwd secpw \ -appsvr_id PDPermissionjapp -host jsys.myco.com -policysvr ampolicy.myco.com:7135:1 \ -cfg_file c:/am/config_file.conf -domain mydomain

The unconfiguration operation fails only if the caller is unauthorized or the policy server cannot be contacted.

Adding a policy or authorization server


The -action addsvr option adds a policy or authorization server to the application servers configuration file. To add a policy server:
java com.tivoli.pd.jcfg.SvrSslCfg -action addsvr \ -policysvr ampolicy3.myco.com:7135:2 \ -cfg_file c:/am/config_file.conf

16

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

To add an authorization server:


java com.tivoli.pd.jcfg.SvrSslCfg -action addsvr \ -authzsvr am2azn.myco.com:7136:2 \ -cfg_file c:/am/config_file.conf

Removing a policy or authorization server


The -action rmsvr option to remove a policy or authorization server from the configuration file. To remove a policy server:
java com.tivoli.pd.jcfg.SvrSslCfg -action rmsvr \ -policysvr ampolicy.myco.com:7135:1 \ -cfg_file c:/am/config_file.conf

To remove an authorization server:


java com.tivoli.pd.jcfg.SvrSslCfg -action rmsvr -authzsvr amazn.myco.com:7136:1 \ -cfg_file c:/am/config)file.conf \

Changing a policy or authorization server


Use the -action chgsvr option to change the port or rank for a policy or authorization server in the configuration file. Do not use this option to change the host name.
java com.tivoli.pd.jcfg.SvrSslCfg -action chgsvr \ -policysvr ampolicy2.myco.com:7135:2 \ -cfg_file c:/am/config_file.conf

or
java com.tivoli.pd.jcfg.SvrSslCfg -action chgsvr \ -authzsvr amazn.myco.com:7136:1 \ -cfg_file c:/am/config_file.conf

Replacing a certificate
The certificate in the keystore expires based on the certificate lifetime set on the policy server. After the certificate expires, the -action replcert option must be used to generate a new certificate. The new certificate replaces the existing certificate in the application servers keystore file. The -action replcert option also can be used to invalidate an existing certificate, which is useful should a certificate become compromised.
java com.tivoli.pd.jcfg.SvrSslCfg -action replcert \ -admin_id sec_master -admin_pwd secpw \ -appsvr_id PDPermissionjapp -cfg_file c:/am/config_file.conf

Setting the port


Use the -action setport option to set the port on which the application server listens. This only updates the application servers configuration file.
java com.tivoli.pd.jcfg.SvrSslCfg -action setport \ -port 4321 -cfg_file c:/am/configfile

Setting the database directory


Use the -action setdbdir option on local-mode application servers to set the directory where a local copy of the policy database is stored. This only updates the application servers configuration file.
java com.tivoli.pd.jcfg.SvrSslCfg -action setdbdir \ -dbdir c:/production/policy -cfg_file c:/am/config_file.conf
Chapter 3. Using the authorization API

17

Setting the database refresh interval


Use the -action setdbref option on local-mode application servers to set the refresh interval for the local copy of the policy database. The time interval is specified in seconds. This only updates the application servers configuration file. The following example sets the interval to every 60 minutes.
java com.tivoli.pd.jcfg.SvrSslCfg -action setdbref \ -dbrefresh 3600 -cfg_file c:/am/config_file.conf

Setting the application listening mode


Use the -action setdblisten option on local-mode application servers to indicate whether or not the application listens for policy database update notifications. This only updates the application servers configuration file.
java com.tivoli.pd.jcfg.SvrSslCfg -action setdblisten \ -dblisten true -cfg_file c:/am/config_file.conf

18

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Configuring the Java Authentication and Authorization Service


This section describes how to set up and use a login configuration file with the Tivoli Access Manager authorization API Java classes. The Tivoli Access Manager configuration steps follow the configuration methods supported by the Java Authentication and Authorization Service (JAAS). This section does not provide an overview of all of the JAAS configuration options. To review the JAAS configuration information, see the following Web site: http://java.sun.com/products/jaas Complete the instructions in the following sections: v Creating a login configuration file on page 19 v Specify the login file location on page 19

Creating a login configuration file


Use the sample file shown in Figure 1 as the basis for creating a login configuration file for use with Tivoli Access Manager. No default login configuration file is shipped as part of Tivoli Access Manager.
//// config.pd: Login configuration file for PDLoginModule pd-debug { com.tivoli.mts.PDLoginModule required debug=true; }; pd { com.tivoli.mts.PDLoginModule required; }; pd-nopass { com.tivoli.mts.PDLoginModule required nameOnly=true; };

Figure 1. JAAS login configuration file

Note that the last stanza allows applications that use pd-nopass in their LoginContext constructor to simply supply user names but not passwords. For more information, see the Javadoc information for com.tivoli.mts.PDLoginModule.

Specify the login file location


Choose one of the following ways to specify the location of the login file: v Point to the login configuration file from the JAVA_HOME/jre/lib/security/java.security file. For example, a sample entry from the java.security file might look like this:
login.config.url.1=file:d:/Java/j131ibm/jre/lib/security/config.pd

v Specify the appropriate -D option on the java command line invocation, such as: Djava.security.auth.login.config=./config.pd For more information, see the JAAS configuration documentation.

Chapter 3. Using the authorization API

19

Developing a resource manager


A resource manager is a Java application that uses the JAAS and the Tivoli Access Manager authorization API Java classes to make access control decisions. The sample code in Figure 2 illustrates the tasks that the resource manager must perform.
// Identify the configuration status and callback routine lc = new LoginContext(pd-debug, np); // Drive the login() and commit() methods of the LoginModule class lc.login(); whoami = lc.getSubject(); System.out.println(whoami); // Become that user Subject.doAsPrivileged(whoami, new java.security.PrivilegedAction() { public java.lang.Object run() { boolean worked; java.security.Permission perm = new PDPermission(/test/private, a); try { // sm is a reference to a SecurityManager sm.checkPermission(perm); worked = true; } catch (AccessControlException e) { if (VERBOSE) e.printStackTrace(); worked = false; } if (worked) { System.out.println(user + user + has \\+perm.getActions()+\ permission(s) to target +perm.getName()); } else { System.out.println(user + user + DOES NOT HAVE \\+perm.getActions()+\ permission(s) to target +perm.getName()); } } }, (java.security.AccessControlContext)null ) ; Figure 2. Resource manager task example

20

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Making authorization decisions outside of Java 2


The Tivoli Access Manager authorization API Java classes also support a completely Java-compliant usage of the Tivoli Access Manager authorization check that is outside of the Java 2 and JAAS framework. The PDPrincipal class has a constructor that takes a name and password and authenticates to Tivoli Access Manager as part of the construction of the object. The PDPrincipal class also has a constructor that simply takes a name. A security check is performed on the current environment when one is using the no-password version of the constructor. The permission that must be held is:
permission javax.security.auth.AuthPermission createPDPrincipal

If authorized, the constructor retrieves the authentication information from Tivoli Access Manager for that entity. The names that are supported on these constructors can either be Tivoli Access Manager short names, or distinguished names. After you have constructed a PDPrincipal object for the specified entity, construct a PDPermission with the name of the requested resource, the protected object, and the requested action to be performed on that object. Then invoke the PDPrincipal.implies(PDPermission) method to determine if the specified access to the specified object is allowed by the specified entity. The sample in Figure 3 shows an example of how to perform these tasks.
PDPrincipal whoIsIt = new PDPrincipal(tom, letmein.toCharArray()); PDPermission whatTheyWant = new PDPermission(/everything, abT); boolean haveAccess = whoIsIt.implies(whatTheyWant); if (haveAccess) { // let them proceed... } else { // deny the requested access }

Figure 3. Example showing authorization outside of Java 2

Chapter 3. Using the authorization API

21

Obtaining entitlements for a specified user


The authorization API supports a service plug-in model that enables developers to add modules that extend the capabilities of Tivoli Access Manager. The entitlements service plug-in is the only type of plug-in that is callable from a Java application at this time. An entitlements service plug-in enables authorization API applications for a specific Tivoli Access Manager secure domain to retrieve the entitlements for a user from the policy repository for that secure domain. An entitlements service allows a third-party application running in the secure domain to call a specific entitlements service based on its service ID. If no service ID is provided, the default entitlements service plug-in is called. An entitlements service plug-in, like other authorization service plug-ins, must be installed and configured before use. Tivoli Access Manager provides a default entitlement service called the Tivoli Access Manager protected objects entitlements service that is specific to the Tivoli Access Manager environment. This entitlements service plug-in accepts a single, multi-valued string attribute that specifies one or more root nodes for searching the Tivoli Access Manager protected object space along with an indicator of what access permissions are required. The plug-in returns a multi-valued attribute list of protected objects meeting the search criteria. This entitlement service can be called from a Java application by using the PDPrincipal.getEntitlements method, which is equivalent to using the azn_entitlements_get_entitlements() function from a C application. Figure 4 shows a call to the protected objects entitlements service requesting a list of objects in the /AppData/AccountData and /AppData/EmployeeData object trees to which the principal has view and modify permission.
PDAttrs attrsIn = new PDAttrs(true); PDAttrs attrsOut = new PDAttrs(true); // Does user have view and modify access to desired resources? attrsIn.add(PDStatics.AZN_ENT_SVC_PD_POBJ_PATH, "/AppData/AccountData"); attrsIn.add(PDStatics.AZN_ENT_SVC_PD_POBJ_PATH, "/AppData/EmployeeData"); attrsIn.add(PDStatics.AZN_ENT_SVC_PD_POBJ_REQD_OPS, "vm"); attrsOut = principal.getEntitlements(PDStatics.AZN_ENT_SVC_PD_POBJ, attrsIn); // Is user entitled to anything? PDAttrValues results = attrsOut.get(PDStatics.AZN_ENT_SVC_PD_POBJ_MATCHES); if ((results == null) || (results.isEmpty())) { System.out.println("Nothing found."); break major; } // Process String or byte array results...

Figure 4. Using the PDPrincipal.getEntitlements method

The protected objects entitlements service returns a multi-valued attribute list consisting of byte arrays or Strings representing the protected objects to which the

22

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

principal has the desired access permission. The sample code in Figure 5 demonstrates printing the results.
// Process results of getEntitlements PDAttrValues results = attrsOut.get(PDStatics.AZN_ENT_SVC_PD_POBJ_MATCHES); if ((results == null) ||(results.isEmpty())) { System.out.println("Nothing found"); break major; } java.util.Iterator iter = results.iterator(); while (iter.hasNext()) { Object value = ((PDAttrValue)iter.next()).getValue(); System.out.println(value.toString()); }

Figure 5. Processing protected objects returned

Additional information on the entitlements service plug-in as well as the other types of authorization service plug-ins can be found in the IBM Tivoli Access Manager for e-business Authorization C API Developer Reference.

Chapter 3. Using the authorization API

23

24

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Chapter 4. Java classes overview


This chapter discusses the Tivoli Access Manager authorization API Java classes: v com.tivoli.mts.PDLoginModule on page 25 v com.tivoli.mts.PDPrincipal on page 25 v com.tivoli.mts.PDPermission on page 26 v com.tivoli.pd.jutil.PDAttrs on page 26 v com.tivoli.pd.jutil.PDAttrValueList on page 27 v com.tivoli.pd.jutil.PDAttrValues on page 28 v com.tivoli.pd.jutil.PDStatics on page 28 See the Javadoc information in the Tivoli Access Manager ADK for detailed information about all of these classes and their associated methods.

com.tivoli.mts.PDLoginModule
This class enables a user to authenticate to Tivoli Access Manager using a user name and password. This class must be run inside the JAAS framework.
public class PDLoginModule implements javax.security.auth.spi.LoginModule{ public PDLoginModule() public login() public logout() public abort() public commit() public initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) }

com.tivoli.mts.PDPrincipal
This class represents the identity of a Tivoli Access Manager user. Note that the PDPrincipal object can, when necessary, be deserialized. When this is done, use the setConfig() method to set configuration information within the reconstructed object. For more information, see the javadoc reference page for com.tivoli.mts.PDPrincipal.
public class PDPrincipal implements java.security.Principal, com.ibm.security.auth.PrincipalComparator, java.io.Externalizable { public public public public public public public public public
Copyright IBM Corp. 2002,, 2003

PDPrincipal() PDPrincipal(byte[] creds, URL configURL) PDPrincipal(String name) PDPrincipal(String name, char[] password) PDPrincipal(String name, char[] password, URL configURL) PDPrincipal(String name, String creds, URL configURL) PDPrincipal(String name, URL configURL) PDPrincipal(URL configURL) PDPrincipal addGroupMemberships(String service ID,

25

public public public public public public public public public public public public }

String[] groups) boolean equals(Object o) PDAttrs getEntitlements(String serviceID, PDAttrs attrsIn) String getName() byte[] getPAC() int hashCode() void readExternal( ObjectInput in) void writeExternal(ObjectOutput out) void setConfig(URL configURL) String toString() boolean implies(javax.security.auth.Subject subject) boolean implies(PDPermission perm) boolean implies(PDPermission perm, PDAttrs attrsIn, PDAttrs attrsOut)

com.tivoli.mts.PDPermission
This class represents an authorization permission for accessing a protected resource object in a secure domain defined by Tivoli Access Manager. PDPermission allows usage of Tivoli Access Manager as the authorization engine for normal Java 2 permission checks.
public class PDPermission { public PDPermission(java.lang.String rname, java.lang.String actions) public boolean implies(java.security.Permission p) public boolean implies(PDPrincipal princ) public boolean implies(PDPrincipal princ, PDAttrs inputList, PDAttrs, outputList) public boolean equals(Object obj) public String getActions() public int hashCode() }

com.tivoli.pd.jutil.PDAttrs
This class represents a collection of attributes. Attributes are used to encapsulate input and output data sent to and received from authorization and administration service functions. Each attribute consists of entries that have a name and one or more values. The names are Strings, and the values can of type String, byte array, Long, or PDAdmSvcPobj. Several of the constructors for this class use the context parameter, of class com.tivoli.pd.jutil.PDBasicContext. This is a superclass of the Tivoli Access Manager contexts. The context that should be passed for the authorization APIs is a subclass such as PDContext.
public class PDAttrs extends com.tivoli.pd.jutil.PDEnvironmentObject implements java.lang.Cloneable, java.io.Serializable { public public public public public PDAttrs(com.tivoli.pd.jutil.PDBasicContext context) PDAttrs(com.tivoli.pd.jutil.PDBasicContext context, boolean allowDuplicates) PDAttrs(PDAttrs that) PDAttrs(com.tivoli.pd.jutil.PDBasicContext context, byte[] serverData) PDAttrs(com.tivoli.pd.jutil.PDBasicContext context, com.tivoli.pd.jasn1.attrlist_t alt) public java.util.Collection add(java.lang.String name, PDAttrValues vals) public java.util.Collection add(java.lang.String name, java.util.Collection vals) public java.util.Collection add(java.lang.String name, java.lang.String value)

26

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

public public public public public public public public public public public public public public public public public public public public }

java.util.Collection add(java.lang.String name, java.lang.Long value) java.util.Collection add(java.lang.String name, PDAdmSvcPobj value) java.util.Collection add(java.lang.String name, byte[] value) void addAll(PDAttrs attrs) void clear() boolean delete(java.lang.String key) java.lang.Object clone() java.util.Set entrySet() boolean equals(java.lang.Object obj) PDAttrValues get(java.lang.String key) java.util.Collection getValues(java.lang.String key) int getQoP() boolean allowDups() int hashCode() java.util.Set keySet() void setQoP(int qop) int size() java.lang.String toString() com.tivoli.pd.jasn1.attrlist_t getAttrlist_t() void getAttrlist_t(com.tivoli.pd.jasn1.attrlist_t alt)

com.tivoli.pd.jutil.PDAttrValue
This class represents the value of a Tivoli Access Manager attribute. A value may be a String, a byte array, a Long, or a PDAdmSvcPobj.
public class PDAttrValue extends com.tivoli.pd.jutil.PDEnvironmentObject implements java.lang.Cloneable, java.io.Serializable{ public PDAttrValue(com.tivoli.pd.jutil.PDBasicContext java.lang.String string) public PDAttrValue(com.tivoli.pd.jutil.PDBasicContext public PDAttrValue(com.tivoli.pd.jutil.PDBasicContext public PDAttrValue(com.tivoli.pd.jutil.PDBasicContext java.lang.Long ulong) public boolean equals(java.lang.Object iobj) public java.lang.Object getValue() public int getType() public int hashCode() public java.lang.Object clone() public java.lang.String toString() } context, context, byte[] bytes) context, PDAdmSvcPobj pobj) context,

com.tivoli.pd.jutil.PDAttrValueList
This class represents the list of values for one attribute. Each value must be a PDAttrValue. The list is ordered and allows duplicates.
public class PDAttrValueList extends java.util.ArrayList implements java.lang.Cloneable, java.io.Serializable{ public PDAttrValueList(com.tivoli.pd.jutil.PDBasicContext context) public PDAttrValueList(com.tivoli.pd.jutil.PDBasicContext context, java.util.Collection c) public java.lang.Object set(int index, java.lang.Object element) public boolean add(java.lang.Object element) public void add(int index, java.lang.Object element) public boolean addAll(java.util.Collection c) public boolean addAll(int index, java.util.Collection c) public boolean equals(java.lang.Object obj)

Chapter 4. Java classes overview

27

public java.lang.Object clone() public java.lang.String toString() public int hashCode() }

com.tivoli.pd.jutil.PDAttrValues
This class represents the collection of values for one attribute. Each value must be a PDAttrValue. The collection is unordered and does not allow duplicates.
public class PDAttrValues extends java.util.HashSet implements java.lang.Cloneable, java.io.Serializable{ public PDAttrValues(com.tivoli.pd.jutil.PDBasicContext context) public PDAttrValues(com.tivoli.pd.jutil.PDBasicContext context, java.util.Collection c) public boolean add(PDAttrValue value) public boolean add(java.lang.Object obj) public boolean addAll(java.util.Collection c) public java.lang.Object clone() public boolean equals(java.lang.Object obj) public java.lang.String toString() public int hashCode() public byte[] encode() }

com.tivoli.pd.jutil.PDStatics
This class contains various constants used in the PDPermission class and other associated classes.
public class PDStatics extends java.lang.Object { public static final java.lang.String AZN_MOD_SVC_RAD_2AB public static final java.lang.String AZN_MOD_RAD_GROUP_NAMES public static final java.lang.String AZN_ENT_SVC_PD_POBJ public static final java.lang.String AZN_ENT_SVC_PD_POBJ_PATH public static final java.lang.String AZN_ENT_SVC_PD_POBJ_REQD_OPS public static final java.lang.String AZN_ENT_SVC_PD_POBJ_MATCHES public static final int QOP_NONE public static final int QOP_INTEGRITY public static final int QOP_PRIVACY public static final int AZN_VALTYPE_BUFFER public static final int AZN_VALTYPE_STRING public static final int AZN_VALTYPE_POBJ public static final int AZN_VALTYPE_ULONG public static final int AZN_PERMISSION_ALLOWED public static final int AZN_PERMISSION_DENIED }

28

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Chapter 5. Upgrade considerations


Review Appendix B, Deprecated Java authorization classes and methods, on page 37 before making changes to an existing Java application. A number of classes and methods have been deprecated in this version of Tivoli Access Manager. Administrators or application developers who use existing Java applications built using the authorization API provided in Tivoli SecureWay Policy Director Version 3.8 need to be aware of the following changes introduced in Tivoli Access Manager. 1. The authorization ADK is now called the Tivoli Access Manager ADK and only contains the Javadoc information associated with the Java classes and methods. The authorization API Java classes and methods are provided as part of the Tivoli Access Manager Java runtime component. Both of these components can be installed from the Tivoli Access Manager base product CD. 2. The PD.jar file replaces the PDPerm.jar file that was provided in Tivoli SecureWay Policy Director. The PD.jar file contains the definitions for both the authorization Java classes as well as the administration Java classes. 3. You no longer need to copy the JAR files or make changes to the CLASSPATH environment variable to use Tivoli Access Manager Java classes and methods. The pdjrtecfg command line interface is used to make the Tivoli Access Manager JAR files available to one or more JREs on a system. See the IBM Tivoli Access Manager for e-business Command Reference for information on the pdjrtecfg command. 4. In Tivoli SecureWay Policy Director, two pdadmin commands had to be entered on the policy server before using the SvrSslCfg class to create configuration files. The SvrSslCfg class now automatically creates the necessary Tivoli Access Manager user account on the policy server.

Copyright IBM Corp. 2002,, 2003

29

30

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Appendix A. com.tivoli.pd.jcfg.SvrSslCfg
This class is used to configure, unconfigure, and modify the configuration information associated with a Tivoli Access Manager Java application server.
public class SvrSslCfg extends java.lang.Object { public static void main (java.lang.String[] argv) throws PDException }

The use of the com.tivoli.pd.jcfg.SvrSslCfg class can be summarized as follows:


java com.tivoli.pd.jcfg.SvrSslCfg -action ( config | unconfig | addsvr | rmsvr | chgsvr | setport | setdblisten | setdbref | replcert } -admin_id admin_user_ID -admin_pwd admin_password -appsvr_id application_server_name -appsvr_pwd application_server_password -port port_number -mode { local | remote } -host Host_name_of_application_server -policysvr policy_server_name:port:rank [,...] -authzsvr authorization_server_name:port:rank [,...] -cfg_file fully_qualified_name_of_configuration_file -domain Tivoli_Acccess_Manager_domain -key_file fully_qualified_name_of_keystore_file -msg_id message_identifier -dblisten { true | false } -dbrefresh refresh_interval_in_seconds -dbdir name_of_directory_for_local_policy_database -cfg_action { create | replace }

Compatibility Note: The com.tivoli.mts.SvrSslCfg class has been deprecated in Tivoli Access Manager. Existing applications should change to use the new com.tivoli.pd.jcfg.SvrSslCfg class as the deprecated class will be removed in a future version of the product. After the successful configuration of a Tivoli Access Manager Java application server, SvrSslCfg creates a user account and server entries representing the Java application server in the Tivoli Access Manager user registry. In addition, SvrSslCfg creates a configuration file and a Java keystore file, which securely stores a client certificate, locally on the application server. This client certificate permits callers to make authenticated use of Tivoli Access Manager services. Conversely, unconfiguration removes the user and server entries from the user registry and cleans up the local configuration and keystore files. The contents of an existing configuration file can be modified by using the SvrSslCfg class. The configuration file and the keystore file must already exist when calling SvrSslCfg with all options other than action config or action unconfig. A complete list of the actions available in the SvrSslCfg class are outlined following the description of the parameters in Table 3 on page 32. Note: The following options are parsed and processed into the configuration file, but are otherwise ignored in this version of Tivoli Access Manager:
Copyright IBM Corp. 2002,, 2003

31

v v v v v

port mode local dblisten dbdir dbrefresh


Value A Tivoli Access Manager user with administrative privileges. This parameter is required. Password associated with the Tivoli Access Manager administrative user specified. This parameter is required. The name of the application server. This parameter is required. The TCP/IP port which the application server listens to for policy server notifications. This parameter is required. Indicates whether the application server processes requests remotely or locally. This parameter is required. A list of Tivoli Access Manager policy servers to which the application server can communicate. Format of this entry is host name, TCP/IP port number, and numeric rank, separated by colons. Multiple servers can be specified by separating them with commas. For example, the following indicates two policy servers, both using default TCP/IP port 7135, are available: primary.myco.com:7135:1,secondary.myco.com:7135:2 This parameter is required.

Table 3. Description of parameters for the SvrSslCfg configuration action. SvrSslCfg Parameter admin_id user_ID admin_pwd password appsvr_id name port port_number mode { local | remote } policysvr hostname:port:rank [,hostname2:port2:rank2...]

authzsvr hostname:port:rank [,hostname2:port2:rank2...]

A list of Tivoli Access Manager authorization servers to which the application server can communicate. Format of this entry is host name, TCP/IP port number, and numeric rank, separated by colons. Multiple servers can be specified by separating them with commas. For example, the following indicates 2 authorization servers, both using default TCP/IP port 7136, are available: secazn.myco.com:7136:2,primazn.myco.com:7136:1 This parameter is required.

cfg_file file_name

Fully qualified name of the configuration file on the application server. SvrSslCfg action config creates this file. The filename should have a .conf suffix. You can specify any valid name. This parameter is required.

key_file file_name

Fully qualified name of the keystore file on the application server. SvrSslCfg action config creates this file. The filename should have a .ks suffix. You can specify any valid name. This parameter is required.

32

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Table 3. Description of parameters for the SvrSslCfg configuration action. (continued) SvrSslCfg Parameter msg_id message_identifier Value An identifier that determines the directory in which to locate the trace and log files that are generated when using this application server. This identifier is used only if Tivoli Common Directory logging is enabled for the Tivoli Access Manager Java runtime. Refer to the IBM Tivoli Access Manager for e-business Problem Determination Guide for more information on Tivoli Common Directory logging, message files and message file locations. This parameter is optional. There is no default value. domain domain_name The Tivoli Access Manager domain for the application server. This parameter is optional. The default value is the local domain. The password for the user account in the user registry associated with the application server. This parameter is optional. If it is specified, the password must meet the current password rules in effect. If it is omitted, a default password is automatically generated. Host name of the application server. This parameter is optional. The default value is the local host. Description of the application server. This parameter is optional. The default value is empty (no description). The names of special groups the application server will be made a member of. This parameter is optional. The default value is empty (no special groups). Indicates whether or not the application server listens for policy database updates. This parameter is optional. The default value is true. This parameter is ignored when the mode parameter is set to remote. The name of the directory to be used for the local copy of the policy database. This parameter is optional. If it is not specified, the default directory is the db directory, located just under the Tivoli Access Manager installation directory: installation_directory/db This parameter is ignored when the mode parameter is set to remote. dbrefresh number_of_seconds Indicates the time interval, in seconds, that the application server polls the policy server for policy database updates. This parameter is optional. Value must be greater than or equal to zero. The default value is 600 seconds, or every 10 minutes. This parameter is ignored if the mode parameter is set to remote. Indicates whether the configuration and keystore files should be created on the application server or replaced. This parameter is optional. The default action is replace. When the create option is specified but the files already exist, an exception is raised. When the replace option is specified, the configuration and keystore files must already exist.

appsvr_pwd password

host host_name desc description groups group_names

dblisten { true | false }

dbdir directory_name

cfg_action { create | replace }

Appendix A. com.tivoli.pd.jcfg.SvrSslCfg

33

Note: The host name is used to build a unique name (identity) for the application. The pdadmin user list command displays the application identity name in the following format: server_name/host_name Note that the pdadmin server list command will display the server name in a slightly different format: server_name-host_name

action config
Configures an application server. Configuring a server creates user and server information in the user registry and creates local configuration and keystore files on the application server. Use the action unconfig option to reverse this operation.
java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id admin_user_ID -admin_pwd admin_password -appsvr_id application_server_name -appsvr_pwd application_server_password -port port_number -mode { local | remote } [ -host Host_name_of_application_server ] -policysvr policy_server_name:port:rank [,...] -authzsvr authorization_server_name:port:rank [,...] -cfg_file fully_qualified_name_of_configuration_file [ -domain Tivoli_Acccess_Manager_domain ] -key_file fully_qualified_name_of_keystore_file [ -cfg_action { create | replace } ]

action unconfig
Unconfigures an application server. Removes the user and server information from the user registry, deletes the local keystore file and removes information for this application from the configuration file but does not delete the configuration file. The unconfiguration operation fails only if the caller is unauthorized or the policy server cannot be contacted.
java com.tivoli.pd.jcfg.SvrSslCfg -action unconfig -admin_id admin_user_ID -admin_pwd admin_password -appsvr_id application_server_name [ -host host_name_of_application_server ] -policysvr policy_server_name:port:rank [,...] -cfg_file fully_qualified_name_of_configuration_file [ -domain Tivoli_Acccess_Manager_domain ]

Note: This action can succeed when there is no configuration file. When the configuration file does not exist, it is created and used as a temporary file to hold configuration information during the operation, and then the file is deleted completely.

action addsvr
Adds a policy or authorization server to the application servers configuration file.

34

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

java com.tivoli.pd.jcfg.SvrSslCfg -action addsvr { -policysvr policy_server_name | -authzsvr authorization_server_name } -cfg_file fully_qualified_name_of_configuration_file

The configuration file must already exist when this action is called.

action rmsvr
Removes a policy or authorization server from the application servers configuration file.
java com.tivoli.pd.jcfg.SvrSslCfg -action rmsvr { -policysvr policy_server_name | -authzsvr authorization_server_name } -cfg_file fully_qualified_name_of_configuration_file

action chgsvr
Changes the port or preference ranking of a policy or authorization server in the application servers configuration file.
java com.tivoli.pd.jcfg.SvrSslCfg -action chgsvr { -policysvr policy_server_name | -authzsvr authorization_server_name } -cfg_file fully_qualified_name_of_configuration_file

The configuration file must already exist when this action is called.

action replcert
Replaces a certificate in the application servers keystore file. The certificate in the keystore expires based on the certificate lifetime set on the policy server. After the certificate expires, the -action replcert option must be used to generate a new certificate. The -action replcert option also can be used to invalidate an existing certificate, which is useful should a certificate become compromised.
java com.tivoli.pd.jcfg.SvrSslCfg -action replcert -admin_id admin_user_ID -admin_pwd admin_password -appsvr_id application_server_name -cfg_file fully_qualified_name_of_configuration_file

The configuration file must already exist when this action is called.

action setport
Sets the port on which the application server listens for policy database notifications. This only updates the application servers configuration file.
java com.tivoli.pd.jcfg.SvrSslCfg -action setport -port port_number -cfg_file fully_qualified_name_of_configuration_file

The configuration file must already exist when this action is called.

action setdbdir
Sets the database directory. This only updates the application servers configuration file.

Appendix A. com.tivoli.pd.jcfg.SvrSslCfg

35

java com.tivoli.pd.jcfg.SvrSslCfg -action setdbdir -dbdir name_of_directory_for_local_policy_database -cfg_file fully_qualified_name_of_configuration_file

The configuration file must already exist when this action is called.

action setdbref
Sets the database refresh interval, in seconds. This only updates the application servers configuration file.
java com.tivoli.pd.jcfg.SvrSslCfg -action setdbref -dbrefresh refresh_interval_in_seconds -cfg_file fully_qualified_name_of_configuration_file

The configuration file must already exist when this action is called.

action setdblisten
Sets the application listening mode. This only updates the application servers configuration file.
java com.tivoli.pd.jcfg.SvrSslCfg -action setdblisten -dblisten { true | false } -cfg_file fully_qualified_name_of_configuration_file

The configuration file must already exist when this action is called.

36

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Appendix B. Deprecated Java authorization classes and methods


The classes and methods listed in Table 4 have been deprecated in IBM Tivoli Access Manager Version 5.1. Existing Java applications should be changed to use the replacement class or method indicated.
Table 4. Deprecated Java Classes Deprecated Class or Method com.tivoli.mts.PDAttrs( ) com.tivoli.pd.jutil.PDAttrs.add(java.lang.String, PDAttrValues) com.tivoli.mts.PDAttrValue( ) com.tivoli.pd.jutil.PDAttrs.get( java.lang.String) com.tivoli.mts.PDAttrValues( ) com.tivoli.mts.PDAttrValueList( ) com.tivoli.mts.PDStatics( ) com.tivoli.mts.SvrSslCfg Replacement Class or Method com.tivoli.pd.jutil.PDAttrs() com.tivoli.pd.jutil.PDAttrs.add( java.lang.String, java.util.Collection) com.tivoli.pd.jutil.PDAttrValue() com.tivoli.pd.jutil.PDAttrs.getValues(java.lang.String) com.tivoli.pd.jutil.PDAttrValues() com.tivoli.pd.jutil.PDAttrValueList() com.tivoli.pd.jutil.PDStatics() com.tivoli.pd.jcfg.SvrSslCfg

Copyright IBM Corp. 2002,, 2003

37

38

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Appendix C. Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the users responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Copyright IBM Corp. 2002,, 2003

39

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBMs future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBMs application programming interfaces. If you are viewing this information softcopy, the photographs and color illustrations may not appear.

Trademarks
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:

40

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

AIX DB2 IBM IBM logo OS/390 SecureWay Tivoli Tivoli logo Universal Database WebSphere z/OS zSeries Lotus is a registered trademark of Lotus Development Corporation and/or IBM Corporation. Domino is a trademark of International Business Machines Corporation and Lotus Development Corporation in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others.

Appendix C. Notices

41

42

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Glossary A
access control. In computer security, the process of ensuring that the resources of a computer system can be accessed only by authorized users in authorized ways. access control list (ACL). In computer security, a list that is associated with an object that identifies all the subjects that can access the object and their access rights. For example, an access control list is a list that is associated with a file that identifies the users who can access the file and identifies the users access rights to that file. access permission. The access privilege that applies to the entire object. action. An access control list (ACL) permission attribute. See also access control list. ACL. See access control list. administration service. An authorization API runtime plug-in that can be used to perform administration requests on a Tivoli Access Manager resource manager application. The administration service will respond to remote requests from the pdadmin command to perform tasks, such as listing the objects under a particular node in the protected object tree. Customers may develop these services using the authorization ADK. attribute list. A linked list that contains extended information that is used to make authorization decisions. Attribute lists consist of a set of name = value pairs. authentication. (1) In computer security, verification of the identity of a user or the users eligibility to access an object. (2) In computer security, verification that a message has not been altered or corrupted. (3) In computer security, a process that is used to verify the user of an information system or of protected resources. See also multi-factor authentication, network-based authentication, and step-up authentication. authorization. (1) In computer security, the right granted to a user to communicate with or make use of a computer system. (2) The process of granting a user either complete or restricted access to an object, resource, or function. authorization rule. See rule. authorization service plug-in. A dynamically loadable library (DLL or shared library) that can be loaded by
Copyright IBM Corp. 2002,, 2003

the Tivoli Access Manager authorization API runtime client at initialization time in order to perform operations that extend a service interface within the Authorization API. The service interfaces that are currently available include Administration, External Authorization, Credentials modification, Entitlements and PAC manipulation interfaces. Customers may develop these services using the authorization ADK.

B
BA. See basic authentication. basic authentication. A method of authentication that requires the user to enter a valid user name and password before access to a secure online resource is granted. bind. To relate an identifier to another object in a program; for example, to relate an identifier to a value, an address or another identifier, or to associate formal parameters and actual parameters. blade. A component that provides application-specific services and components. business entitlement. The supplemental attribute of a user credential that describes the fine-grained conditions that can be used in the authorization of requests for resources.

C
CA. See certificate authority. CDAS. See Cross Domain Authentication Service. CDMF. See Cross Domain Mapping Framework. certificate. In computer security, a digital document that binds a public key to the identity of the certificate owner, thereby enabling the certificate owner to be authenticated. A certificate is issued by a certificate authority. certificate authority (CA). An organization that issues certificates. The certificate authority authenticates the certificate owners identity and the services that the owner is authorized to use, issues new certificates, renews existing certificates, and revokes certificates belonging to users who are no longer authorized to use them. CGI. See common gateway interface.

43

cipher. Encrypted data that is unreadable until it has been converted into plain data (decrypted) with a key. common gateway interface (CGI). An Internet standard for defining scripts that pass information from a Web server to an application program, through an HTTP request, and vice versa. A CGI script is a CGI program that is written in a scripting language, such as Perl. configuration. (1) The manner in which the hardware and software of an information processing system are organized and interconnected. (2) The machines, devices, and programs that make up a system, subsystem, or network. connection. (1) In data communication, an association established between functional units for conveying information. (2) In TCP/IP, the path between two protocol applications that provides reliable data stream delivery service. In the Internet, a connection extends from a TCP application on one system to a TCP application on another system. (3) In system communications, a line over which data can be passed between two systems or between a system and a device. container object. A structural designation that organizes the object space into distinct functional regions. cookie. Information that a server stores on a client machine and accesses during subsequent sessions. Cookies allow servers to remember specific information about clients. credentials. Detailed information, acquired during authentication, that describes the user, any group associations, and other security-related identity attributes. Credentials can be used to perform a multitude of services, such as authorization, auditing, and delegation. credentials modification service. An authorization API runtime plug-in which can be used to modify a Tivoli Access Manager credential. Credentials modification services developed externally by customers are limited to performing operation to add and remove from the credentials attribute list and only to those attributes that are considered modifiable. cross domain authentication service (CDAS). A WebSEAL service that provides a shared library mechanism that allows you to substitute the default WebSEAL authentication mechanisms with a custom process that returns a Tivoli Access Manager identity to WebSEAL. See also WebSEAL. cross domain mapping framework (CDMF). A programming interface that allows a developer to customize the mapping of user identities and the handling of user attributes when WebSEAL e-Community SSO function are used.

D
daemon. A program that runs unattended to perform continuous or periodic systemwide functions, such as network control. Some daemons are triggered automatically to perform their task; others operate periodically. directory schema. The valid attribute types and object classes that can appear in a directory. The attribute types and object classes define the syntax of the attribute values, which attributes must be present, and which attributes may be present for the directory. distinguished name (DN). The name that uniquely identifies an entry in a directory. A distinguished name is made up of attribute:value pairs, separated by commas. digital signature. In e-commerce, data that is appended to, or is a cryptographic transformation of, a data unit and that enables the recipient of the data unit to verify the source and integrity of the unit and to recognize potential forgery. DN. See distinguished name. domain. (1) A logical grouping of users, systems, and resources that share common services and usually function with a common purpose. (2) That part of a computer network in which the data processing resources are under common control. See also domain name. domain name. In the Internet suite of protocols, a name of a host system. A domain name consists of a sequence of subnames that are separated by a delimiter character. For example, if the fully qualified domain name (FQDN) of a host system is as400.rchland.vnet.ibm.com, each of the following is a domain name: as400.rchland.vnet.ibm.com, vnet.ibm.com, ibm.com.

E
EAS. See External Authorization Service. encryption. In computer security, the process of transforming data into an unintelligible form in such a way that the original data either cannot be obtained or can be obtained only by using a decryption process. entitlement. A data structure that contains externalized security policy information. Entitlements contain policy data or capabilities that are formatted in a way that is understandable to a specific application. entitlement service. An authorization API runtime plug-in which can be used to return entitlements from an external source for a principal or set of conditions. Entitlements are normally application specific data that will be consumed by the resource manager application

44

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

in some way or added to the principals credentials for use further on in the authorization process. Customers may develop these services using the authorization ADK. external authorization service. An authorization API runtime plug-in that can be used to make application or environment specific authorization decisions as part of the Tivoli Access Manager authorization decision chain. Customers may develop these services using the authorization ADK.

Requests for Comments (RFCs) through the Internet Engineering Task Force (IETF). interprocess communication (IPC). (1) The process by which programs communicate data to each other and synchronize their activities. Semaphores, signals, and internal message queues are common methods of interprocess communication. (2) A mechanism of an operating system that allows processes to communicate with each other within the same computer or over a network. IP. See Internet Protocol. IPC. See Interprocess Communication.

F
file transfer protocol (FTP). In the Internet suite of protocols, an application layer protocol that uses Transmission Control Protocol (TCP) and Telnet services to transfer bulk-data files between machines or hosts.

J
junction. An HTTP or HTTPS connection between a front-end WebSEAL server and a back-end Web application server. WebSEAL uses a junction to provide protective services on behalf of the back-end server.

G
global signon (GSO). A flexible single sign-on solution that enables the user to provide alternative user names and passwords to the back-end Web application server. Global signon grants users access to the computing resources they are authorized to use through a single login. Designed for large enterprises consisting of multiple systems and applications within heterogeneous, distributed computing environments, GSO eliminates the need for users to manage multiple user names and passwords. See also single signon. GSO. See global signon.

K
key. In computer security, a sequence of symbols that is used with a cryptographic algorithm for encrypting or decrypting data. See private key and public key. key database file. See key ring. key file. See key ring. key pair. In computer security, a public key and a private key. When the key pair is used for encryption, the sender uses the public key to encrypt the message, and the recipient uses the private key to decrypt the message. When the key pair is used for signing, the signer uses the private key to encrypt a representation of the message, and the recipient uses the public key to decrypt the representation of the message for signature verification. key ring. In computer security, a file that contains public keys, private keys, trusted roots, and certificates.

H
host. A computer that is connected to a network (such as the Internet or an SNA network) and provides an access point to that network. Also, depending on the environment, the host may provide centralized control of the network. The host can be a client, a server, or both a client and a server simultaneously. HTTP. See Hypertext Transfer Protocol. hypertext transfer protocol (HTTP). In the Internet suite of protocols, the protocol that is used to transfer and display hypertext documents.

L
LDAP. See Lightweight Directory Access Protocol. lightweight directory access protocol (LDAP). An open protocol that (a) uses TCP/IP to provide access to directories that support an X.500 model and (b) does not incur the resource requirements of the more complex X.500 Directory Access Protocol (DAP). Applications that use LDAP (known as directory-enabled applications) can use the directory as a common data store and for retrieving information about people or services, such as e-mail addresses, public keys, or service-specific configuration parameters. LDAP was originally specified in RFC
Glossary

I
Internet protocol (IP). In the Internet suite of protocols, a connectionless protocol that routes data through a network or interconnected networks and acts as an intermediary between the higher protocol layers and the physical network. Internet suite of protocols. A set of protocols developed for use on the Internet and published as

45

1777. LDAP version 3 is specified in RFC 2251, and the IETF continues work on additional standard functions. Some of the IETF-defined standard schemas for LDAP are found in RFC 2256. lightweight third party authentication (LTPA). An authentication framework that allows single sign-on across a set of Web servers that fall within an Internet domain. LTPA. See lightweight third party authentication.

policy. A set of rules that are applied to managed resources. policy server. The Tivoli Access Manager server that maintains the location information about other servers in the secure domain. polling. The process by which databases are interrogated at regular intervals to determine if data needs to be transmitted. POP. See protected object policy. portal. An integrated Web site that dynamically produces a customized list of Web resources, such as links, content, or services, available to a specific user, based on the access permissions for the particular user. privilege attribute certificate. A digital document that contains a principals authentication and authorization attributes and a principals capabilities. privilege attribute certificate service. An authorization API runtime client plug-in which translates a PAC of a predetermined format in to a Tivoli Access Manager credential, and vice-versa. These services could also be used to package or marshall a Tivoli Access Manager credential for transmission to other members of the secure domain. Customers may develop these services using the authorization ADK. See also privilege attribute certificate. protected object. The logical representation of an actual system resource that is used for applying ACLs and POPs and for authorizing user access. See also protected object policy and protected object space. protected object policy (POP). A type of security policy that imposes additional conditions on the operation permitted by the ACL policy to access a protected object. It is the responsibility of the resource manager to enforce the POP conditions. See also access control list, protected object, and protected object space. protected object space. The virtual object representation of actual system resources that is used for applying ACLs and POPs and for authorizing user access. See also protected object and protected object policy. private key. In computer security, a key that is known only to its owner. Contrast with public key. public key. In computer security, a key that is made available to everyone. Contrast with private key.

M
management domain. The default domain in which Tivoli Access Manager enforces security policies for authentication, authorization, and access control. This domain is created when the policy server is configured. See also domain. management server. Obsolete. See policy server. metadata. Data that describes the characteristics of stored data. migration. The installation of a new version or release of a program to replace an earlier version or release. multi-factor authentication. A protected object policy (POP) that forces a user to authenticate using two or more levels of authentication. For example, the access control on a protected resource can require that the users authenticate with both user name/password and user name/token passcode. See also protected object policy. multiplexing proxy agent (MPA). A gateway that accommodates multiple client access. These gateways are sometimes known as Wireless Access Protocol (WAP) gateways when clients access a secure domain using a WAP. Gateways establish a single authenticated channel to the originating server and tunnel all client requests and responses through this channel.

N
network-based authentication. A protected object policy (POP) that controls access to objects based on the internet protocol (IP) address of the user. See also protected object policy.

P
PAC. See privilege attribute certificate. permission. The ability to access a protected object, such as a file or directory. The number and meaning of permissions for an object are defined by the access control list (ACL). See also access control list.

Q
quality of protection. The level of data security, determined by a combination of authentication, integrity, and privacy conditions.

46

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

R
registry. The datastore that contains access and configuration information for users, systems, and software. replica. A server that contains a copy of the directory or directories of another server. Replicas back up servers in order to enhance performance or response times and to ensure data integrity. resource object. The representation of an actual network resource, such as a service, file, and program. response file. A file that contains a set of predefined answers to questions asked by a program and that is used instead of entering those values one at a time. role activation. The process of applying the access permissions to a role. role assignment. The process of assigning a role to a user, such that the user has the appropriate access permissions for the object defined for that role. routing file. An ASCII file that contains commands that control the configuration of messages. RSA encryption. A system for public-key cryptography used for encryption and authentication. It was invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The systems security depends on the difficulty of factoring the product of two large prime numbers. rule. One or more logical statements that enable the event server to recognize relationships among events (event correlation) and to execute automated responses accordingly. run time. The time period during which a computer program is executing. A runtime environment is an execution environment.

security management. The management discipline that addresses an organizations ability to control access to applications and data that are critical to its success. self-registration. The process by which a user can enter required data and become a registered Tivoli Access Manager user, without the involvement of an administrator. service. Work performed by a server. A service can be a simple request for data to be sent or stored (as with file servers, HTTP servers, e-mail servers, and finger servers), or it can be more complex work such as that of print servers or process servers. silent installation. An installation that does not send messages to the console but instead stores messages and errors in log files. Also, a silent installation can use response files for data input. See also response file. single signon (SSO). The ability of a user to logon once and access multiple applications without having to logon to each application separately. See also global signon. SSL. See Secure Sockets Layer. SSO. See Single Signon. step-up authentication. A protected object policy (POP) that relies on a preconfigured hierarchy of authentication levels and enforces a specific level of authentication according to the policy set on a resource. The step-up authentication POP does not force the user to authenticate using multiple levels of authentication to access any given resource but requires the user to authenticate at a level at least as high as that required by the policy protecting a resource. suffix. A distinguished name that identifies the top entry in a locally held directory hierarchy. Because of the relative naming scheme used in Lightweight Directory Access Protocol (LDAP), this suffix applies to every other entry within that directory hierarchy. A directory server can have multiple suffixes, each identifying a locally held directory hierarchy.

S
scalability. The ability of a network system to respond to increasing numbers of users who access resources. schema. The set of statements, expressed in a data definition language, that completely describe the structure of a database. In a relational database, the schema defines the tables, the fields in each table, and the relationships between fields and tables. secure sockets layer (SSL). A security protocol that provides communication privacy. SSL enables client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. SSL was developed by Netscape Communications Corp. and RSA Data Security, Inc.

T
token. (1) In a local area network, the symbol of authority passed successively from one data station to another to indicate the station temporarily in control of the transmission medium. Each data station has an opportunity to acquire and use the token to control the medium. A token is a particular message or bit pattern that signifies permission to transmit. (2) In local area networks (LANs), a sequence of bits passed from one device to another along the transmission medium. When the token has data appended to it, it becomes a frame.

Glossary

47

trusted root. In the Secure Sockets Layer (SSL), the public key and associated distinguished name of a certificate authority (CA).

WPM. See Web Portal Manager.

U
uniform resource identifier (URI). The character string used to identify content on the Internet, including the name of the resource (a directory and file name), the location of the resource (the computer where the directory and file name exist), and how the resource can be accessed (the protocol, such as HTTP). An example of a URI is a uniform resource locator, or URL. uniform resource locator (URL). A sequence of characters that represent information resources on a computer or in a network such as the Internet. This sequence of characters includes (a) the abbreviated name of the protocol used to access the information resource and (b) the information used by the protocol to locate the information resource. For example, in the context of the Internet, these are abbreviated names of some protocols used to access various information resources: http, ftp, gopher, telnet, and news; and this is the URL for the IBM home page: http://www.ibm.com. URI. See uniform resource identifier. URL. See uniform resource locator. user. Any person, organization, process, device, program, protocol, or system that uses a service provided by others. user registry. See registry.

V
virtual hosting. The capability of a Web server that allows it to appear as more than one host to the Internet.

W
Web Portal Manager (WPM). A Web-based graphical application used to manage Tivoli Access Manager Base and WebSEAL security policy in a secure domain. An alternative to the pdadmin command line interface, this GUI enables remote administrator access and enables administrators to create delegated user domains and assign delegate administrators to these domains. WebSEAL. A Tivoli Access Manager blade. WebSEAL is a high performance, multi-threaded Web server that applies a security policy to a protected object space. WebSEAL can provide single sign-on solutions and incorporate back-end Web application server resources into its security policy.

48

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Index A
adding development systems 3 application server configuring 15 applications deploying 3, 5 authorization non-Java 2 21 authorization API installing 2 authorization server 2 azn_entitlements_get_entitlements() function

F
file 10 files, installation directories 2

I
IBM Directory client 3 installation 2 installation directories 2 installation requirements 3 22

J B
building applications 3 JAAS 9, 19 JAAS login file configuring 19 JAAS model 9 JAAS policy 10 jaas.policy 10 Java 2 permission model 9 Java 2 security 8 Java application 14 Java classes 2 java runtime component 4 java.security 10

C
classes PDAttrs 26 PDAttrValue 27 PDAttrValueList 27 PDAttrValues 28 PDLoginModule 25 PDPermission 26 PDPrincipal 25 PDStatics 28 SvrSslCfg 31 com.tivoli.mts.PDAttrs() 37 com.tivoli.mts.SvrSslCfg 37 com.tivoli.nts.PDAttrs.get() 37 com.tivoli.pd.jcfg.SvrSslCfg class 31 configuration 19 configuring 4 application server 15 configuring into secure domain 14 credentials 9

L
local mode configuring 16 LoginModule 9

N
NameCallback 9

O
obtaining 9

D
defining 10 deploying an application 5 deprecated classes and methods 37 com.tivoli.mts.PDAttrs 37 com.tivoli.mts.PDAttrs.get() 37 com.tivoli.mts.PDAttrs() 37 com.tivoli.mts.PDAttrValue 37 com.tivoli.mts.PDAttrValueList 37 com.tivoli.mts.PDAttrValues 37 com.tivoli.mts.PDStaticss 37 com.tivoli.mts.SvrSslCfg 31, 37 development systems, adding 3

P
PasswordCallback 9 PD.jar 29 PD.jar file 2 PDAttrs class 26 PDAttrValue class 27 PDAttrValueList class 27 PDAttrValues class 28 PDLoginModule 11 PDLoginModule class 25 PDPermission 10 PDPermission class 26 PDPrincipal class 25 PDPrincipal.getEntitlements 22 PDStatics class 28 protected objects entitlements service

E
entitlements 22 entitlements service plug-in 22

22

Copyright IBM Corp. 2002,, 2003

49

R
registry, user 3 related publications xii remote mode configuring 16 requirements, for installation resource manager sample code 20

S
secure domain 3 service plug-ins 22 signed JAR files 4 software requirements 3 SSL 2 SvrSslCfg 14 addsvr 34 chgsvr 35 config 34 configuring application server 15 replcert 35 rmsvr 35 setdbdir 35 setdblisten 36 setdbref 36 setport 35 syntax 31 unconfig 34 SvrSslCfg class 31 adding a policy or authorization server 16 changing a policy or authorization server 17 configuring a server in local mode 16 configuring a server in remote mode 16 removing a policy or authorization server 17 replacing a certificate 17 setting the application listening mode 18 setting the database directory 17 setting the database refresh interval 18 setting the port 17 unconfiguring an application server 16

T
troubleshooting 5

U
upgrading Tivoli Access Manager user authentication 9 user registry 3 29

50

IBM Tivoli Access Manager: Authorization Java Classes Developer Reference

Printed in USA

SC32-1350-00