This topic applies only to the z/OS platform

ConsolidateJAASAuthAliases.py script

ConsolidateJAASAuthAliases.py is a wsadmin script that is used to consolidate the JAAS authentication aliases, which are used for database access. These aliases are defined by the augmentation process or are defined when a deployment environment is created.

Introduction

When the IBM® Business Process Manager for z/OS® server accesses a secure database subsystem, one of the security mechanisms available to it involves the use of JAAS authentication aliases. A JAAS authentication alias specifies a user identifier and password that are provided when the database subsystem requests authentication credentials. The augmentation process or the generation of a deployment environment defines a set of JAAS authentication aliases that are associated with the various data sources and service integration buses for use when they access the database.

A fully configured IBM Business Process Manager system consists of the following resources and JAAS authentication aliases:

Table 1. JAAS authentication aliases for data sources
Data source JAAS authentication alias
ESBLoggerMediationDataSource WPSDB_Auth_Alias, WPSDB_Auth_Alias_XAR
WPS data source WPSDB_Auth_Alias, WPSDB_Auth_Alias_XAR
WPS data source_CF WPSDB_Auth_Alias, WPSDB_Auth_Alias_XAR
Process Server data source processdblogon, processdblogon_XAR
Process Server data source_CF processdblogon, processdblogon_XAR
Process Server ME data source PROCSVRME_Auth_Alias, PROCSVRME_Auth_Alias_XAR
Process Server ME data source_CF PROCSVRME_Auth_Alias, PROCSVRME_Auth_Alias_XAR
Performance Data Warehouse data source performancedblogon, performancedblogon_XAR
Performance Data Warehouse data source_CF performancedblogon, performancedblogon_XAR
Performance Data Warehouse ME data source PERFDWME_Auth_Alias, PERFDWME_Auth_Alias_XAR
Performance Data Warehouse ME data source_CF PERFDWME_Auth_Alias, PERFDWME_Auth_Alias_XAR
Business Space data source BSPACE_Auth_Alias, BSPACE_Auth_Alias_XAR
Business Space data source_CF BSPACE_Auth_Alias, BSPACE_Auth_Alias_XA
CEI ME data source CEIME_<deployment environment>.AppTarget_Auth_Alias, CEIME_<deployment environment>.AppTarget_Auth_Alias_XAR
CEI ME data source_CF CEIME_<deployment environment>.AppTarget_Auth_Alias, CEIME_<deployment environment>.AppTarget_Auth_Alias_XAR
SCA System Bus ME data source SCASYSME00_Auth_Alias, SCASYSME00_Auth_Alias_XAR
SCA System Bus ME data source_CF SCASYSME00_Auth_Alias, SCASYSME00_Auth_Alias_XAR
SCA Application Bus ME data source SCAAPPME00_Auth_Alias, SCAAPPME00_Auth_Alias_XAR
SCA Application Bus ME data source_CF SCAAPPME00_Auth_Alias, SCAAPPME00_Auth_Alias_XAR
BPCDataSource BPCDB_<deployment environment>.AppTarget_Auth_Alias, BPCDB_<deployment environment>.AppTarget_Auth_Alias_XAR
BPCDataSource_CF BPCDB_<deployment environment>.AppTarget_Auth_Alias, BPCDB_<deployment environment>.AppTarget_Auth_Alias_XAR
Business Process Choreographer ME data source BPCME_00_Auth_Alias, BPCME_00_Auth_Alias_XAR
Business Process Choreographer ME data source_CF BPCME_00_Auth_Alias, BPCME_00_Auth_Alias_XAR
BPCRFDataSource OBSVRDB_<deployment environment>.AppTarget_Auth_Alias, OBSVRDB_<deployment environment>.AppTarget_Auth_Alias_XAR
BPCRFDataSource_CF OBSVRDB_<deployment environment>.AppTarget_Auth_Alias, OBSVRDB_<deployment environment>.AppTarget_Auth_Alias_XAR
Table 2. JAAS authentication aliases for service integration buses
Service integration bus JAAS authentication alias
<qualifier>BPC.<cell>.Bus BPCME_00_Auth_Alias
<qualifier>CEI.<cell>.Bus CEIME_<deployment environment>.AppTarget_Auth_Alias
<qualifier>SCA.APPLICATION.<cell>.Bus SCAAPPME00_Auth_Alias
<qualifier>SCA.SYSTEM.<cell>.Bus SCASYSME00_Auth_Alias
<qualifier>PROCSVR.<cell>.Bus PROCSVRME_Auth_Alias
<qualifier>PERFDW.<cell>.Bus PERFDWME_Auth_Alias

On z/OS all the various data repositories are usually defined to access the same z/OS database subsystem; for example, DB2® for z/OS. In addition, authentication to this common database subsystem is carried out using the same user identifier and password. It would not be uncommon for many, if not all, of the JAAS authentication aliases to be defined with the same user identifier and password.

Having a number of JAAS authentication aliases defined with the same user identifier and password parameters presents a number of concerns:
  • The password for database access will not normally expire, but if it needs to be changed for some reason, it needs to be changed in all the JAAS authentication aliases.
  • The administrative console panel for working with JAAS authentication aliases is more cluttered, which reduces usability.
  • The names of the JAAS authentication aliases might not conform to local naming conventions.

Purpose

Optionally, you can run the ConsolidateJAASAuthAliases.py script to address these issues. The script is invoked by the WebSphere® wsadmin utility to perform the following actions:
  • Consolidate the various JAAS authentication aliases listed in Table 1 and Table 2 into a single entry.
  • Reassign all the resources that referenced the original aliases so that they use the new alias.
  • Delete the original aliases.
The result is a single JAAS authentication alias that is used to authenticate database access for all the resources created by the IBM Business Process Manager for z/OS configuration process.

ConsolidateJAASAuthAliases script

The wsadmin Jython script can be used to consolidate the various JAAS authentication aliases created by IBM Business Process Manager configuration into a single entry.

By default, the location of the script is /usr/lpp/zWebSphere/V8R0/zOS-config/samples.

Invocation of the script

The script is provided as an argument to the WebSphere wsadmin tool. You can provide six mandatory parameters and one optional parameter to the script. The following code shows the syntax for the wsadmin Jython script (split over several lines to improve clarity):
/AppServerRoot/bin/wsadmin.sh
	-host host_name
	-port host_port
	-f ConsolidateJAASAuthAliases.py
	JAAS_authentication_alias_name
	user_ID
	password
	[scan mode]

Parameters

-host host_name
The host address of the target server, or of the deployment manager for a network deployment cell.
-port host_port
The SOAP port number of the target server.
-f ConsolidateJAASAuthAliases.py
If the script is not located in the current directory, you must include the path in which the script is stored.
JAAS_authentication_alias_name
The name of the new JAAS authentication alias to be created. This can be any name, but it is good practice to choose a descriptive name; for example, BPMDBAccess.
user_ID
The user identifier to be provided for authentication to the database subsystem.
password
The password to be provided for authentication to the database subsystem.
Note: If WebSphere security is enabled (the default), the user_ID and password parameters are required to run the wsadmin script in connected mode. Alternatively, you can shut down the server and then run wsadmin -conntype none (without any host, port, user, or password settings).
[scan mode]
An optional parameter. If this parameter is missing (that is, only two parameters are provided to the script) any changes made by the script are committed when the script completes processing. If any string is provided as a seventh parameter, the script reports all the changes that it would make, but they are rolled back when the script completes processing. Scan mode can be useful for assessing the scope of the changes that the script will effect.

The script provides a report of all the actions it has taken.

Script processing

Processing of the script consists of the following steps:
  1. A new JAAS authentication alias is created, based on the parameters provided to the script.
  2. All the JAAS authentication aliases of interest are identified. The script searches through the list of all aliases looking for alias names that match the following patterns:
    • Starts with "BPCDB_"
    • Starts with "BPCME_"
    • Is equal to "BSPACE_Auth_Alias"
    • Starts with "CEIME_"
    • Starts with "OBSVRDB_"
    • Starts with "PERFDWME_"
    • Starts with "PROCSVRME_"
    • Starts with "SCAAPPME"
    • Starts with "SCASYSME"
    • Is equal to "WPSDB_Auth_Alias"
    • Starts with "performancedblogon"
    • Starts with "processdblogon"
  3. For each identified alias, all occurrences of it are replaced with the new alias in JDBC data source definitions.
  4. For each identified alias, all occurrences of it are replaced with the new alias in SIBus messaging engine data store definitions.
  5. All of the identified aliases are removed from the WebSphere configuration.

If no third parameter is supplied to the script, the changes are committed. If any string is provided as a third parameter, the changes are backed out, although the script still reports the changes that it would have made.

Sample output

The following output shows a sample execution of the script:
/WebSphere/V8T5DM/DeploymentManager/bin/wsadmin.sh -user wsadmin -password admn4was -host winabcd0.company.ibm.com -port 20502 -f ConsolidateJAASAuthAliases.py DB2zOSAlias wsadmin admn4was >sysout.txt

WASX7209I: Connected to process "dmgr" on node T5NodeDmgrMVP0 using SOAP connector;  The type of process is: DeploymentManager
WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: "[DB2zOSAlias, wsadmin, gadzooks]"

ConsolidateJAASAuthAliases: Starting

   Created JAAS alias: DB2zOSAlias

   Replacing alias reference in data source: ESBLoggerMediationDataSource
      WPSDB_Auth_Alias => DB2zOSAlias

   Replacing alias reference in data source: WPS data source
      WPSDB_Auth_Alias => DB2zOSAlias

   Replacing alias reference in CMP connection factory: WPS data source_CF
      Component-managed WPSDB_Auth_Alias

   Removing alias: WPSDB_Auth_Alias

   Replacing XA recovery alias reference in data source: ESBLoggerMediationDataSource
      WPSDB_Auth_Alias_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in data source: WPS data source
      WPSDB_Auth_Alias_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: WPS data source_CF
      WPSDB_Auth_Alias_XAR => DB2zOSAlias

   Removing alias: WPSDB_Auth_Alias_XAR

   Replacing alias reference in data source: Process Server data source
      processdblogon => DB2zOSAlias

   Replacing alias reference in data source: Process Server data source
      processdblogon => DB2zOSAlias

   Replacing alias reference in CMP connection factory: Process Server data source_CF
      Component-managed processdblogon

   Replacing alias reference in CMP connection factory: Process Server data source_CF
      Component-managed processdblogon

   Removing alias: processdblogon

   Replacing XA recovery alias reference in data source: Process Server data source
      processdblogon_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in data source: Process Server data source
      processdblogon_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: Process Server data source_CF
      processdblogon_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: Process Server data source_CF
      processdblogon_XAR => DB2zOSAlias

   Removing alias: processdblogon_XAR

   Replacing alias reference in data source: Process Server ME data source
      PROCSVRME_Auth_Alias => DB2zOSAlias

   Replacing alias reference in SIBus data store of ME: T5DepEnv.AppTarget.000-PROCSVR.T5Cell.Bus
      PROCSVRME_Auth_Alias => DB2zOSAlias

   Replacing alias reference in CMP connection factory: Process Server ME data source_CF
      Component-managed PROCSVRME_Auth_Alias

   Removing alias: PROCSVRME_Auth_Alias

   Replacing XA recovery alias reference in data source: Process Server ME data source
      PROCSVRME_Auth_Alias_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: Process Server ME data source_CF
      PROCSVRME_Auth_Alias_XAR => DB2zOSAlias

   Removing alias: PROCSVRME_Auth_Alias_XAR

   Replacing alias reference in data source: Performance Data Warehouse data source
      performancedblogon => DB2zOSAlias

   Replacing alias reference in data source: Performance Data Warehouse data source
      performancedblogon => DB2zOSAlias

   Replacing alias reference in data source: Performance Data Warehouse data source
      performancedblogon => DB2zOSAlias

   Replacing alias reference in CMP connection factory: Performance Data Warehouse data source_CF
      Component-managed performancedblogon

   Replacing alias reference in CMP connection factory: Performance Data Warehouse data source_CF
      Component-managed performancedblogon

   Replacing alias reference in CMP connection factory: Performance Data Warehouse data source_CF
      Component-managed performancedblogon

   Removing alias: performancedblogon

   Replacing XA recovery alias reference in data source: Performance Data Warehouse data source
      performancedblogon_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in data source: Performance Data Warehouse data source
      performancedblogon_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in data source: Performance Data Warehouse data source
      performancedblogon_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: Performance Data Warehouse data source_CF
      performancedblogon_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: Performance Data Warehouse data source_CF
      performancedblogon_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: Performance Data Warehouse data source_CF
      performancedblogon_XAR => DB2zOSAlias

   Removing alias: performancedblogon_XAR

   Replacing alias reference in data source: Performance Data Warehouse  ME data source
      PERFDWME_Auth_Alias => DB2zOSAlias

   Replacing alias reference in SIBus data store of ME: T5DepEnv.AppTarget.000-PERFDW.T5Cell.Bus
      PERFDWME_Auth_Alias => DB2zOSAlias

   Replacing alias reference in CMP connection factory: Performance Data Warehouse  ME data source_CF
      Component-managed PERFDWME_Auth_Alias

   Removing alias: PERFDWME_Auth_Alias

   Replacing XA recovery alias reference in data source: Performance Data Warehouse  ME data source
      PERFDWME_Auth_Alias_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: Performance Data Warehouse  ME data source_CF
      PERFDWME_Auth_Alias_XAR => DB2zOSAlias

   Removing alias: PERFDWME_Auth_Alias_XAR

   Replacing alias reference in data source: Business Space data source
      BSPACE_Auth_Alias => DB2zOSAlias

   Replacing alias reference in CMP connection factory: Business Space data source_CF
      Component-managed BSPACE_Auth_Alias

   Removing alias: BSPACE_Auth_Alias

   Replacing XA recovery alias reference in data source: Business Space data source
      BSPACE_Auth_Alias_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: Business Space data source_CF
      BSPACE_Auth_Alias_XAR => DB2zOSAlias

   Removing alias: BSPACE_Auth_Alias_XAR

   Replacing alias reference in data source: CEI ME data source
      CEIME_T5DepEnv.AppTarget_Auth_Alias => DB2zOSAlias

   Replacing alias reference in SIBus data store of ME: T5DepEnv.AppTarget.000-CEI.T5Cell.Bus
      CEIME_T5DepEnv.AppTarget_Auth_Alias => DB2zOSAlias

   Replacing alias reference in CMP connection factory: CEI ME data source_CF
      Component-managed CEIME_T5DepEnv.AppTarget_Auth_Alias

   Removing alias: CEIME_T5DepEnv.AppTarget_Auth_Alias

   Replacing XA recovery alias reference in data source: CEI ME data source
      CEIME_T5DepEnv.AppTarget_Auth_Alias_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: CEI ME data source_CF
      CEIME_T5DepEnv.AppTarget_Auth_Alias_XAR => DB2zOSAlias

   Removing alias: CEIME_T5DepEnv.AppTarget_Auth_Alias_XAR

   Replacing alias reference in data source: SCA System Bus ME data source
      SCASYSME00_Auth_Alias => DB2zOSAlias

   Replacing alias reference in SIBus data store of ME: T5DepEnv.AppTarget.000-SCA.SYSTEM.T5Cell.Bus
      SCASYSME00_Auth_Alias => DB2zOSAlias

   Replacing alias reference in CMP connection factory: SCA System Bus ME data source_CF
      Component-managed SCASYSME00_Auth_Alias

   Removing alias: SCASYSME00_Auth_Alias

   Replacing XA recovery alias reference in data source: SCA System Bus ME data source
      SCASYSME00_Auth_Alias_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: SCA System Bus ME data source_CF
      SCASYSME00_Auth_Alias_XAR => DB2zOSAlias

   Removing alias: SCASYSME00_Auth_Alias_XAR

   Replacing alias reference in data source: SCA Application Bus ME data source
      SCAAPPME00_Auth_Alias => DB2zOSAlias

   Replacing alias reference in SIBus data store of ME: T5DepEnv.AppTarget.000-SCA.APPLICATION.T5Cell.Bus
      SCAAPPME00_Auth_Alias => DB2zOSAlias

   Replacing alias reference in CMP connection factory: SCA Application Bus ME data source_CF
      Component-managed SCAAPPME00_Auth_Alias

   Removing alias: SCAAPPME00_Auth_Alias

   Replacing XA recovery alias reference in data source: SCA Application Bus ME data source
      SCAAPPME00_Auth_Alias_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: SCA Application Bus ME data source_CF
      SCAAPPME00_Auth_Alias_XAR => DB2zOSAlias

   Removing alias: SCAAPPME00_Auth_Alias_XAR

   Replacing alias reference in data source: BPCDataSource
      BPCDB_T5DepEnv.AppTarget_Auth_Alias => DB2zOSAlias

   Replacing alias reference in CMP connection factory: BPCDataSource_CF
      Component-managed BPCDB_T5DepEnv.AppTarget_Auth_Alias

   Removing alias: BPCDB_T5DepEnv.AppTarget_Auth_Alias

   Replacing XA recovery alias reference in data source: BPCDataSource
      BPCDB_T5DepEnv.AppTarget_Auth_Alias_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: BPCDataSource_CF
      BPCDB_T5DepEnv.AppTarget_Auth_Alias_XAR => DB2zOSAlias

   Removing alias: BPCDB_T5DepEnv.AppTarget_Auth_Alias_XAR

   Replacing alias reference in data source: Business Process Choreographer ME data source
      BPCME_00_Auth_Alias => DB2zOSAlias

   Replacing alias reference in SIBus data store of ME: T5DepEnv.AppTarget.000-BPC.T5Cell.Bus
      BPCME_00_Auth_Alias => DB2zOSAlias

   Replacing alias reference in CMP connection factory: Business Process Choreographer ME data source_CF
      Component-managed BPCME_00_Auth_Alias

   Removing alias: BPCME_00_Auth_Alias

   Replacing XA recovery alias reference in data source: Business Process Choreographer ME data source
      BPCME_00_Auth_Alias_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: Business Process Choreographer ME data source_CF
      BPCME_00_Auth_Alias_XAR => DB2zOSAlias

   Removing alias: BPCME_00_Auth_Alias_XAR

   Replacing alias reference in data source: BPCRFDataSource
      OBSVRDB_T5DepEnv.AppTarget_Auth_Alias => DB2zOSAlias

   Replacing alias reference in CMP connection factory: BPCRFDataSource_CF
      Component-managed OBSVRDB_T5DepEnv.AppTarget_Auth_Alias

   Removing alias: OBSVRDB_T5DepEnv.AppTarget_Auth_Alias

   Replacing XA recovery alias reference in data source: BPCRFDataSource
      OBSVRDB_T5DepEnv.AppTarget_Auth_Alias_XAR => DB2zOSAlias

   Replacing XA recovery alias reference in CMP connection factory: BPCRFDataSource_CF
      OBSVRDB_T5DepEnv.AppTarget_Auth_Alias_XAR => DB2zOSAlias

   Removing alias: OBSVRDB_T5DepEnv.AppTarget_Auth_Alias_XAR

   Saving configuration

ConsolidateJAASAuthAliases: Completed
If the third scan mode parameter is provided, the Saving configuration message is replaced by the Running in scan mode, no updates committed message. For example:
./wsadmin.sh -host winmvsp1 -port 20502 
    -f /u/healdr/Jython/ConsolidateJAASAuthAliases.py DB2Alias wsadmin admn4was y 

/WebSphere/V8T5DM/DeploymentManager/bin:>./wsadmin.sh -host winmvsp 1 -port 20502 
    -f /u/healdr/Jython/ConsolidateJAASAuthAliases.py DB2Alias wsadmin gadzooks y 
WASX7209I: Connected to process "dmgr" on node T5NodeDmgrMVP1 using SOAP connector; 
    The type of process is: DeploymentManager 
WASX7303I: The following options are passed to the scripting environment and are available as 
    arguments that are stored in the argv variable: "[DB2Alias, wsadmin, gadzooks, y]" 

ConsolidateJAASAuthAliases: Starting 

Created JAAS alias: DB2Alias 

... 

Removing alias: BSPACE_Auth_Alias 

Running in scan mode, no updates committed 

ConsolidateJAASAuthAliases: Completed

References

The following references provide more information about wsadmin and Jython scripting:

Parent topic: Commands (wsadmin scripting)