154 lines
9.7 KiB
HTML
154 lines
9.7 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="task" />
|
||
|
<meta name="DC.Title" content="Prepare and configure an iSeries server for Java Authentication and Authorization Service" />
|
||
|
<meta name="abstract" content="You must meet software requirements and configure your iSeries server to use Java Authentication and Authorization Service (JAAS)." />
|
||
|
<meta name="description" content="You must meet software requirements and configure your iSeries server to use Java Authentication and Authorization Service (JAAS)." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="jaasbase.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="api.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="jaassamp.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="jaasprep" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Prepare and configure an iSeries server for Java Authentication
|
||
|
and Authorization Service</title>
|
||
|
</head>
|
||
|
<body id="jaasprep"><a name="jaasprep"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Prepare and configure an iSeries server for Java Authentication
|
||
|
and Authorization Service</h1>
|
||
|
<div><p>You must meet software requirements and configure your iSeries™ server
|
||
|
to use Java™ Authentication and Authorization Service (JAAS).</p>
|
||
|
<div class="section"><p><strong>Software requirements to run JAAS 1.0 on an iSeries server</strong></p>
|
||
|
<p>Install
|
||
|
the following licensed programs:</p>
|
||
|
<ul><li>Java 2
|
||
|
SDK, version 1.4 (J2SDK) or above</li>
|
||
|
<li>The IBM<sup>®</sup> Toolbox
|
||
|
for Java (mod
|
||
|
4) Licensed Program (5722-JC1) is required to change the OS thread identity.
|
||
|
It contains the ProfileTokenCredential classes needed to support the changing
|
||
|
of iSeries OS
|
||
|
thread identity and the native implementation classes.</li>
|
||
|
</ul>
|
||
|
<strong>Configure the system</strong><p>To configure the system to use JAAS, follow
|
||
|
these steps:</p>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>For J2SDK 1.3, add a symbolic link to the extension directory for
|
||
|
the jaas13.jar file. The extension class loader should load the JAR file.
|
||
|
Run this command (all one line) on the iSeries command line to add the link:
|
||
|
</span> <pre> ADDLNK OBJ('/QIBM/ProdData/OS400/Java400/ext/jaas13.jar')
|
||
|
NEWLNK('/QIBM/ProdData/Java400/jdk13/lib/ext/jaas13.jar')</pre>
|
||
|
<p><strong>Note:</strong> For J2SDK 1.4 and above, you do not need to
|
||
|
add a symbolic link to the extension directory. JAAS is part of the base SDK
|
||
|
for this version. </p>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>A default login.config file is provided in ${java.home}/lib/security
|
||
|
which invokes com.ibm.as400.security.auth.login.BasicAuthenticationLoginModule.
|
||
|
This login.config file attaches a single use ProfileTokenCredential to the
|
||
|
authenticated subject. If you want to use your own login.config file with
|
||
|
different options, you may include the following system property when invoking
|
||
|
your application: </span> <pre> -Djava.security.auth.login.config=<strong>your login.config file</strong></pre>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Add a symbolic link to the extension directory for the jt400Native.jar
|
||
|
file. This allows the extension class loader to load this file. The jaas13.jar
|
||
|
file requires this JAR file for the credential implementation classes that
|
||
|
are part of the IBM Toolbox
|
||
|
for Java.
|
||
|
The application class loader can also load this file by including it in the
|
||
|
CLASSPATH. If this file is loaded from the class path directory, do not add
|
||
|
the symbolic link to the extension directory. </span> <p>Symbolically
|
||
|
linking the jt400Native.jar file to the /QIBM/ProdData/Java400/jdk14/lib/ext
|
||
|
directory forces all J2SDK 1.4 users on the server to run with this version
|
||
|
of jt400Native.jar. This may not be desirable if various users require different
|
||
|
versions of the IBM Toolbox
|
||
|
for Java classes.
|
||
|
Other options include putting jt400Native.jar in the application CLASSPATH
|
||
|
as described previously. Another option is to add the symbolic link to your
|
||
|
own directory and then include that directory in the extension directory classpath
|
||
|
by specifying the java.ext.dirs system property when invoking the application.</p>
|
||
|
<p>To
|
||
|
link the jt400Native.jar file to the /QIBM/ProdData/Java400/jdk13/lib/ext
|
||
|
directory, run this command on the iSeries command line to add the link:</p>
|
||
|
<blockquote><pre>ADDLNK OBJ('/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar')
|
||
|
NEWLNK('/QIBM/ProdData/Java400/jdk13/lib/ext/jt400Native.jar')</pre>
|
||
|
</blockquote>
|
||
|
|
||
|
To link the jt400Native.jar file to the /QIBM/ProdData/Java400/jdk14/lib/ext
|
||
|
directory, run this command on the iSeries command line to add the link:
|
||
|
<blockquote><pre>ADDLNK OBJ('/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar')
|
||
|
NEWLNK('/QIBM/ProdData/Java400/jdk14/lib/ext/jt400Native.jar')</pre>
|
||
|
</blockquote>
|
||
|
|
||
|
To link the jt400Native.jar file to your own directory, do the following:
|
||
|
<ol type="a"><li class="substepexpand"><span>Run this command on the iSeries command line to add the link:</span> <blockquote><pre>ADDLNK OBJ('/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar')
|
||
|
NEWLNK('<strong>your extension directory</strong>/jt400Native.jar') </pre>
|
||
|
</blockquote>
|
||
|
</li>
|
||
|
<li class="substepexpand"><span>When calling your java program, use the following pattern:</span> <blockquote><pre>java -Djava.ext.dirs=<strong>your extension directory:default
|
||
|
extension directories</strong></pre>
|
||
|
</blockquote>
|
||
|
<div class="note"><span class="notetitle">Note:</span> See the <a href="../rzahh/page1.htm">IBM Toolbox for Java</a> for information on the iSeries credential
|
||
|
classes. Click on <strong>Security classes</strong>. Click on <strong>Authentication Services</strong>.
|
||
|
Click on <strong>ProfileTokenCredential</strong> class. Click on <strong>Package</strong>.</div>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Update the Java 2 policy files to grant the appropriate
|
||
|
permissions to the actual locations of the IBM Toolbox for Java JAR files. Even though these files
|
||
|
may be symbolically linked to the extension directories and those directories
|
||
|
are granted java.security.AllPermission in the ${java.home}/lib/security/java.policy
|
||
|
file, authorization is based on the actual location of the JAR files.</span> <p>To successfully use the credential classes in the IBM Toolbox for Java,
|
||
|
add the following to the Java 2 policy file of your application:</p>
|
||
|
<pre>grant codeBase "file:/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar"
|
||
|
{
|
||
|
permission javax.security.auth.AuthPermission "modifyThreadIdentity";
|
||
|
permission java.lang.RuntimePermission "loadLibrary.*";
|
||
|
permission java.lang.RuntimePermission "writeFileDescriptor";
|
||
|
permission java.lang.RuntimePermission "readFileDescriptor";
|
||
|
}</pre>
|
||
|
You also need to add these permissions for the codeBase of
|
||
|
your application since the operations performed by the IBM Toolbox for Java JAR files do not run in privileged
|
||
|
mode. <p>See the <a href="api.htm#api">Java Authentication and Authorization Service (JAAS) 1.0</a> for information on the Java 2
|
||
|
policy files.</p>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Make sure the iSeries Host Servers are started and running. The
|
||
|
ProfileTokenCredential classes that reside in the Toolbox, for example, jt400Native.jar,
|
||
|
are used as the credentials that are attached to the authenticated subject.
|
||
|
The credential classes require access to the Host Servers. You can verify
|
||
|
that the servers are started and running by typing the following on the iSeries command
|
||
|
prompt: </span> <pre>StrHostSVR *all
|
||
|
StrTcpSvr *DDM</pre>
|
||
|
If the servers have already been started, these
|
||
|
steps do nothing. If the servers are not started, they are started by these
|
||
|
steps.</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="jaasbase.htm" title="The Java Authentication and Authorization Service (JAAS) is a standard extension to the Java 2 Software Development Kit (J2SDK), Standard Edition. J2SDK provides access controls that are based on where the code originated and who signed the code (code source-based access controls). It lacks, however, the ability to enforce additional access controls based on who runs the code. JAAS provides a framework that adds this support to the Java 2 security model.">Java Authentication and Authorization Service</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="jaassamp.htm" title="This topic contains samples of Java Authentication and Authorization Service (JAAS) on an iSeries server.">Java Authentication and Authorization Service samples</a></div>
|
||
|
</div>
|
||
|
<div class="relref"><strong>Related reference</strong><br />
|
||
|
<div><a href="api.htm" title="This document was last updated March 17, 2000.">Java Authentication and Authorization Service (JAAS) 1.0</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|