ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaha_5.4.0.1/jaasprep.htm

154 lines
9.7 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Prepare and configure an iSeries server for Java Authentication and Authorization Service" />
<meta name="abstract" content="You must meet software requirements and configure your iSeries server to use Java Authentication and Authorization Service (JAAS)." />
<meta name="description" content="You must meet software requirements and configure your iSeries server to use Java Authentication and Authorization Service (JAAS)." />
<meta name="DC.Relation" scheme="URI" content="jaasbase.htm" />
<meta name="DC.Relation" scheme="URI" content="api.htm" />
<meta name="DC.Relation" scheme="URI" content="jaassamp.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="jaasprep" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Prepare and configure an iSeries server for Java Authentication
and Authorization Service</title>
</head>
<body id="jaasprep"><a name="jaasprep"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Prepare and configure an iSeries server for Java Authentication
and Authorization Service</h1>
<div><p>You must meet software requirements and configure your iSeries™ server
to use Java™ Authentication and Authorization Service (JAAS).</p>
<div class="section"><p><strong>Software requirements to run JAAS 1.0 on an iSeries server</strong></p>
<p>Install
the following licensed programs:</p>
<ul><li>Java 2
SDK, version 1.4 (J2SDK) or above</li>
<li>The IBM<sup>®</sup> Toolbox
for Java (mod
4) Licensed Program (5722-JC1) is required to change the OS thread identity.
It contains the ProfileTokenCredential classes needed to support the changing
of iSeries OS
thread identity and the native implementation classes.</li>
</ul>
<strong>Configure the system</strong><p>To configure the system to use JAAS, follow
these steps:</p>
</div>
<ol><li class="stepexpand"><span>For J2SDK 1.3, add a symbolic link to the extension directory for
the jaas13.jar file. The extension class loader should load the JAR file.
Run this command (all one line) on the iSeries command line to add the link:
</span> <pre> ADDLNK OBJ('/QIBM/ProdData/OS400/Java400/ext/jaas13.jar')
NEWLNK('/QIBM/ProdData/Java400/jdk13/lib/ext/jaas13.jar')</pre>
<p><strong>Note:</strong> For J2SDK 1.4 and above, you do not need to
add a symbolic link to the extension directory. JAAS is part of the base SDK
for this version. </p>
</li>
<li class="stepexpand"><span>A default login.config file is provided in ${java.home}/lib/security
which invokes com.ibm.as400.security.auth.login.BasicAuthenticationLoginModule.
This login.config file attaches a single use ProfileTokenCredential to the
authenticated subject. If you want to use your own login.config file with
different options, you may include the following system property when invoking
your application: </span> <pre> -Djava.security.auth.login.config=<strong>your login.config file</strong></pre>
</li>
<li class="stepexpand"><span>Add a symbolic link to the extension directory for the jt400Native.jar
file. This allows the extension class loader to load this file. The jaas13.jar
file requires this JAR file for the credential implementation classes that
are part of the IBM Toolbox
for Java.
The application class loader can also load this file by including it in the
CLASSPATH. If this file is loaded from the class path directory, do not add
the symbolic link to the extension directory. </span> <p>Symbolically
linking the jt400Native.jar file to the /QIBM/ProdData/Java400/jdk14/lib/ext
directory forces all J2SDK 1.4 users on the server to run with this version
of jt400Native.jar. This may not be desirable if various users require different
versions of the IBM Toolbox
for Java classes.
Other options include putting jt400Native.jar in the application CLASSPATH
as described previously. Another option is to add the symbolic link to your
own directory and then include that directory in the extension directory classpath
by specifying the java.ext.dirs system property when invoking the application.</p>
<p>To
link the jt400Native.jar file to the /QIBM/ProdData/Java400/jdk13/lib/ext
directory, run this command on the iSeries command line to add the link:</p>
<blockquote><pre>ADDLNK OBJ('/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar')
NEWLNK('/QIBM/ProdData/Java400/jdk13/lib/ext/jt400Native.jar')</pre>
</blockquote>
To link the jt400Native.jar file to the /QIBM/ProdData/Java400/jdk14/lib/ext
directory, run this command on the iSeries command line to add the link:
<blockquote><pre>ADDLNK OBJ('/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar')
NEWLNK('/QIBM/ProdData/Java400/jdk14/lib/ext/jt400Native.jar')</pre>
</blockquote>
To link the jt400Native.jar file to your own directory, do the following:
<ol type="a"><li class="substepexpand"><span>Run this command on the iSeries command line to add the link:</span> <blockquote><pre>ADDLNK OBJ('/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar')
NEWLNK('<strong>your extension directory</strong>/jt400Native.jar') </pre>
</blockquote>
</li>
<li class="substepexpand"><span>When calling your java program, use the following pattern:</span> <blockquote><pre>java -Djava.ext.dirs=<strong>your extension directory:default
extension directories</strong></pre>
</blockquote>
<div class="note"><span class="notetitle">Note:</span> See the <a href="../rzahh/page1.htm">IBM Toolbox for Java</a> for information on the iSeries credential
classes. Click on <strong>Security classes</strong>. Click on <strong>Authentication Services</strong>.
Click on <strong>ProfileTokenCredential</strong> class. Click on <strong>Package</strong>.</div>
</li>
</ol>
</li>
<li class="stepexpand"><span>Update the Java 2 policy files to grant the appropriate
permissions to the actual locations of the IBM Toolbox for Java JAR files. Even though these files
may be symbolically linked to the extension directories and those directories
are granted java.security.AllPermission in the ${java.home}/lib/security/java.policy
file, authorization is based on the actual location of the JAR files.</span> <p>To successfully use the credential classes in the IBM Toolbox for Java,
add the following to the Java 2 policy file of your application:</p>
<pre>grant codeBase "file:/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar"
{
permission javax.security.auth.AuthPermission "modifyThreadIdentity";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "writeFileDescriptor";
permission java.lang.RuntimePermission "readFileDescriptor";
}</pre>
You also need to add these permissions for the codeBase of
your application since the operations performed by the IBM Toolbox for Java JAR files do not run in privileged
mode. <p>See the <a href="api.htm#api">Java Authentication and Authorization Service (JAAS) 1.0</a> for information on the Java 2
policy files.</p>
</li>
<li class="stepexpand"><span>Make sure the iSeries Host Servers are started and running. The
ProfileTokenCredential classes that reside in the Toolbox, for example, jt400Native.jar,
are used as the credentials that are attached to the authenticated subject.
The credential classes require access to the Host Servers. You can verify
that the servers are started and running by typing the following on the iSeries command
prompt: </span> <pre>StrHostSVR *all
StrTcpSvr *DDM</pre>
If the servers have already been started, these
steps do nothing. If the servers are not started, they are started by these
steps.</li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="jaasbase.htm" title="The Java Authentication and Authorization Service (JAAS) is a standard extension to the Java 2 Software Development Kit (J2SDK), Standard Edition. J2SDK provides access controls that are based on where the code originated and who signed the code (code source-based access controls). It lacks, however, the ability to enforce additional access controls based on who runs the code. JAAS provides a framework that adds this support to the Java 2 security model.">Java Authentication and Authorization Service</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="jaassamp.htm" title="This topic contains samples of Java Authentication and Authorization Service (JAAS) on an iSeries server.">Java Authentication and Authorization Service samples</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="api.htm" title="This document was last updated March 17, 2000.">Java Authentication and Authorization Service (JAAS) 1.0</a></div>
</div>
</div>
</body>
</html>