Prepare and configure an iSeries server for Java Authentication and Authorization Service

You must meet software requirements and configure your iSeries™ server to use Java™ Authentication and Authorization Service (JAAS).

Software requirements to run JAAS 1.0 on an iSeries server

Install the following licensed programs:

Java 2 SDK, version 1.4 (J2SDK) or above
The IBM^® Toolbox for Java (mod 4) Licensed Program (5722-JC1) is required to change the OS thread identity. It contains the ProfileTokenCredential classes needed to support the changing of iSeries OS thread identity and the native implementation classes.

Configure the system

To configure the system to use JAAS, follow these steps:

For J2SDK 1.3, add a symbolic link to the extension directory for the jaas13.jar file. The extension class loader should load the JAR file. Run this command (all one line) on the iSeries command line to add the link:
```
     ADDLNK OBJ('/QIBM/ProdData/OS400/Java400/ext/jaas13.jar')
     NEWLNK('/QIBM/ProdData/Java400/jdk13/lib/ext/jaas13.jar')
```
Note: For J2SDK 1.4 and above, you do not need to add a symbolic link to the extension directory. JAAS is part of the base SDK for this version.
A default login.config file is provided in ${java.home}/lib/security which invokes com.ibm.as400.security.auth.login.BasicAuthenticationLoginModule. This login.config file attaches a single use ProfileTokenCredential to the authenticated subject. If you want to use your own login.config file with different options, you may include the following system property when invoking your application:
```
     -Djava.security.auth.login.config=your login.config file
```
Add a symbolic link to the extension directory for the jt400Native.jar file. This allows the extension class loader to load this file. The jaas13.jar file requires this JAR file for the credential implementation classes that are part of the IBM Toolbox for Java. The application class loader can also load this file by including it in the CLASSPATH. If this file is loaded from the class path directory, do not add the symbolic link to the extension directory.
Symbolically linking the jt400Native.jar file to the /QIBM/ProdData/Java400/jdk14/lib/ext directory forces all J2SDK 1.4 users on the server to run with this version of jt400Native.jar. This may not be desirable if various users require different versions of the IBM Toolbox for Java classes. Other options include putting jt400Native.jar in the application CLASSPATH as described previously. Another option is to add the symbolic link to your own directory and then include that directory in the extension directory classpath by specifying the java.ext.dirs system property when invoking the application.

To link the jt400Native.jar file to the /QIBM/ProdData/Java400/jdk13/lib/ext directory, run this command on the iSeries command line to add the link:
```
ADDLNK OBJ('/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar')
   NEWLNK('/QIBM/ProdData/Java400/jdk13/lib/ext/jt400Native.jar')
```
To link the jt400Native.jar file to the /QIBM/ProdData/Java400/jdk14/lib/ext directory, run this command on the iSeries command line to add the link:
```
ADDLNK OBJ('/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar')
   NEWLNK('/QIBM/ProdData/Java400/jdk14/lib/ext/jt400Native.jar')
```
To link the jt400Native.jar file to your own directory, do the following:
1. Run this command on the iSeries command line to add the link:
```
ADDLNK OBJ('/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar')
   NEWLNK('your extension directory/jt400Native.jar')  
```
2. When calling your java program, use the following pattern:
```
java -Djava.ext.dirs=your extension directory:default
extension directories
```
  Note: See the IBM Toolbox for Java for information on the iSeries credential classes. Click on Security classes. Click on Authentication Services. Click on ProfileTokenCredential class. Click on Package.
Update the Java 2 policy files to grant the appropriate permissions to the actual locations of the IBM Toolbox for Java JAR files. Even though these files may be symbolically linked to the extension directories and those directories are granted java.security.AllPermission in the ${java.home}/lib/security/java.policy file, authorization is based on the actual location of the JAR files.
To successfully use the credential classes in the IBM Toolbox for Java, add the following to the Java 2 policy file of your application:
```
grant codeBase "file:/QIBM/ProdData/OS400/jt400/lib/jt400Native.jar"
 {
   permission javax.security.auth.AuthPermission "modifyThreadIdentity";
   permission java.lang.RuntimePermission "loadLibrary.*";
   permission java.lang.RuntimePermission "writeFileDescriptor";
   permission java.lang.RuntimePermission "readFileDescriptor";
 }
```
You also need to add these permissions for the codeBase of your application since the operations performed by the IBM Toolbox for Java JAR files do not run in privileged mode.
See the Java Authentication and Authorization Service (JAAS) 1.0 for information on the Java 2 policy files.
Make sure the iSeries Host Servers are started and running. The ProfileTokenCredential classes that reside in the Toolbox, for example, jt400Native.jar, are used as the credentials that are attached to the authenticated subject. The credential classes require access to the Host Servers. You can verify that the servers are started and running by typing the following on the iSeries command prompt:
```
StrHostSVR *all
StrTcpSvr *DDM
```
If the servers have already been started, these steps do nothing. If the servers are not started, they are started by these steps.