Stand-alone configuration

Edit online

This section describes the stand-alone configuration.

To use the authz.enable-authorization option in the Registry Direct API, a PDAuthorizationContext instance from the Verify Identity Access Java API must be used. In such a case, it is better to use SvrSslCfg.

The configuration tool RgyConfig is provided in the JAR file along with the new API. The usage is as follows:

Usage:

			java com.tivoli.pd.rgy.util.RgyConfig <file> <command> [options]
			<file> configuration properties file path name
			<command> is one of:
create <mgmt_domain> <local_domain> <ldap.svrs> 
			 <ldap.bind_dn> <ldap.bind_pwd> [<ldap.ssl_truststore>
			 <ldap.ssl_truststore_pwd>
			 load <input properties file>
set <name> <value>
remove <name>
get <name>
list

The usage for a non-SSL example is:

java com.tivoli.pd.rgy.util.RgyConfig /tmp/testapi.properties create Default Default 
"ldaphostname:389:readwrite:5" "cn=testapi,o=ibm,c=us" passw0rd

After you create the properties file, you can manipulate the additional properties. The example to set ldap.enable-last-login property is as follows:

java com.tivoli.pd.rgy.util.RgyConfig /tmp/testapi.properties set ldap.
enable-last-login true
When you use the RgyConfig tool, you must manually create the server identity. Ensure that the Verify Identity Access subdomains include the server identity in the remote-acl-users group of Verify Identity Access management domain. If Verify Identity Access domain is not the default domain, the following additional steps are needed.
  1. Create a file groupmodify.ldif with the following contents: 
    dn: cn=remote-acl-users,cn=SecurityGroups,secAuthority=Default
changetype: modify
add: member
member: cn=testapp/tam611,cn=SecurityDaemons,secAuthority=testdom,
cn=Subdomains,secAuthority=Default
    Where member is the LDAP DN of your application. This value is provided as ldap.bind_dnargument to java com.tivoli.pd.rgy.util.RgyConfig. Alternately, you can determine this value from ldap.bind-dn stored in the generated properties file.
  2. Update LDAP by using ldapmodify command. 
    ldapmodify -p 389 -h localhost -D "cn=root" -w passw0rd -f groupmodify.ldif

    Replace localhost and passw0rd with values appropriate for your setup.

Note: You do not have to install or configure Verify Identity Access to use the new API in stand-alone mode.