ISAM PD.jar keystore problems with Oracle JRE

Troubleshooting

Problem

ISAM PD.jar version for Oracle (used in the Access Manager - JBOSS integration) is unable to read keystores generated by IBM JRE.

Symptom

The JBoss application log and PDJLog tracing report messages similar to the following.

java.io.IOException: Invalid keystore format

or

Corrupted configuration: Cannot use keystore.

Cause

The ISAM PD.jar version for Oracle requires the IBM Security Access Manager Authorization client to be generated using the Oracle JRE itself.

A properties / keyfile from an IBM JRE (with it's own PD.jar) cannot be used.

Environment

Oracle JRE with ISAM PD.jar

Resolving The Problem

If an Oracle Java Runtime Environment is to be used, ensure the original PD.jar contained in<ISAM_HOME>\java\export\pdjrte\ is backed up and replaced with the PD.jar corresponding to the installed version of the ISAM Runtime for Java from the relevant lib\ directory in the integration package. Ensure the replaced PD.jar has the same permissions as the original, including file ownership. On UNIX based systems the file owner is typically the ivmgr user.

Prepare the Java Runtime Environment that the JBoss Enterprise Application Platform server uses, so that it can correctly call IBM Security Access Manager during run time.
Run the following command (entered on one line):

"<JAVA_HOME>\jre\bin\java" -Dpd.home="<ISAM_HOME>" -classpath "<ISAM_HOME>\java

\export\pdjrte\PD.jar" com.tivoli.pd.jcfg.PDJrteCfg -action config -java_home
"<JAVA_HOME>\jre" -host <POLICY_SERVER_HOST> -port 7135 -config_type full

Configure a new IBM Security Access Manager Authorization client for the Login Module, used to validate a trusted connection between IBM Security Access Manager and JBoss Enterprise Application Platform.
This example command should be executed on a single line on the command line:

"<JAVA_HOME>\jre\bin\java" -Dpd.cfg.home="<JAVA_HOME>\jre" -classpath
"<ISAM_HOME>\java\export\pdjrte\PD.jar" com.tivoli.pd.jcfg.SvrSslCfg -action
config -admin_id sec_master admin_pwd <password> -appsvr_id <jboss-sso> -port
7201 -mode remote -policysvr <POLICY_SERVER_HOST>:7135:1 -authzsvr
<AUTHZ_SERVER_HOST>:7136:1 -cfg_file
"<JBOSS_HOME>\standalone\configuration\jboss-sso.properties" -key_file
"<JBOSS_HOME>\standalone\configuration\jboss-sso.ks"

Related Information

ISAM for JBoss EAP

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java Runtime","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1.1;7.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

ISAM I4W

Was this topic helpful?

Document Information

Modified date:
16 June 2018

UID

swg21882725

Tips