administration java classes developer...

120
IBM Tivoli Access Manager for e-business Administration Java Classes Developer Reference Version 5.1 SC32-1356-00

Upload: others

Post on 18-Apr-2020

37 views

Category:

Documents


0 download

TRANSCRIPT

IBM

Tivoli

Access

Manager

for

e-business

Administration

Java

Classes

Developer

Reference

Version

5.1

SC32-1356-00

���

IBM

Tivoli

Access

Manager

for

e-business

Administration

Java

Classes

Developer

Reference

Version

5.1

SC32-1356-00

���

Note:

Before

using

this

information

and

the

product

it

supports,

read

the

information

in

Appendix

E,

“Notices,”

on

page

87.

First

Edition

(November

2003)

This

edition

applies

to

version

5,

release

1,

modification

0

of

IBM

Tivoli

Access

Manager

(product

number

5724-C08)

and

to

all

subsequent

releases

and

modifications

until

otherwise

indicated

in

new

editions.

©

Copyright

International

Business

Machines

Corporation

2002,

2003.

All

rights

reserved.

US

Government

Users

Restricted

Rights

Use,

duplication

or

disclosure

restricted

by

GSA

ADP

Schedule

Contract

with

IBM

Corp.

Contents

Preface

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. vii

Who

should

read

this

book

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. vii

What

this

book

contains

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. vii

Publications

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. ix

Release

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. ix

Base

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. ix

Web

security

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. x

Developer

references

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. x

Technical

supplements

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xi

Related

publications

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xi

Accessing

publications

online

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xiv

Accessibility

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xv

Contacting

software

support

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xv

Conventions

used

in

this

book

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xv

Typeface

conventions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xv

User

registry

differences

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xv

Operating

system

differences

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xvi

Chapter

1.

Introducing

the

administration

API

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 1

Administration

Java

classes

overview

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 1

Other

ways

to

manipulate

administration

objects

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 2

Java

administration

API

components

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 2

Application

development

kit

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 2

Building

Java

applications

with

the

administration

API

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 3

IBM

Tivoli

Access

Manager

software

requirements

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 3

Configuring

the

Java

runtime

component

to

a

particular

Java

runtime

environment

.

.

.

.

.

.

.

.

.

. 4

Configuring

to

use

the

Java

administration

classes

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 4

Security

requirements

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 4

Java

administration

API

example

program

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 5

Deploying

a

Java

administration

API

application

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 5

Gathering

problem

determination

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 5

Enabling

tracing

on

the

policy

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 6

Enabling

tracing

on

the

authorization

server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 6

Enabling

tracing

in

the

Java

runtime

component

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 6

Gathering

message

logs

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 6

Gathering

trace

logs

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 7

Chapter

2.

Using

the

administration

API

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 9

Administration

objects

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 9

Common

classes

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 11

Initializing

the

administration

API

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 12

Establishing

a

security

context

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 12

User

ID

and

password-based

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 12

Certificate-based

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 13

Manipulating

administration

objects

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 14

Creating

objects

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 14

Obtaining

a

local

copy

of

an

object

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 15

Reading

object

values

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 16

Setting

object

values

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 16

Listing

objects

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 16

Deleting

objects

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 17

Messages

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 17

Handling

errors

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 18

Shutting

down

the

administration

API

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 18

Character-based

data

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 18

©

Copyright

IBM

Corp.

2002,

2003

iii

Chapter

3.

Administering

users

and

groups

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 19

Administering

users

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 19

Administering

user

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 20

Administering

user

account

policies

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 21

Administering

user

password

policies

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 22

Administering

groups

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 23

Administering

group

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 24

Chapter

4.

Administering

protected

objects

and

protected

object

spaces

.

.

.

.

.

.

. 25

Administering

protected

object

spaces

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 25

Administering

protected

objects

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 26

Administering

protected

object

attributes

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 27

Chapter

5.

Administering

access

control

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 29

Administering

access

control

lists

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 29

Administering

access

control

list

entries

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 30

Administering

access

control

list

extended

attributes

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 32

Administering

action

groups

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 32

Administering

extended

actions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 33

Chapter

6.

Administering

protected

object

policies

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 35

Administering

protected

object

policy

objects

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 35

PDPop.IPAuthInfo

object

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 36

Administering

protected

object

policy

settings

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 36

Administering

protected

object

policy

extended

attributes

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 37

Chapter

7.

Administering

authorization

rules

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 39

Chapter

8.

Administering

single

signon

resources

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 41

Administering

Web

resources

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 41

Administering

resource

groups

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 42

Administering

resource

credentials

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 43

Chapter

9.

Administering

domains

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 45

Chapter

10.

Configuring

application

servers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 47

Configuring

application

servers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 47

Administering

configuration

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 47

Certificate

maintenance

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 48

Chapter

11.

Administering

servers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 49

Getting

and

performing

administration

tasks

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 49

Notifying

replica

databases

when

the

master

authorization

database

is

updated

.

.

.

.

.

.

.

.

.

.

.

. 49

Notifying

replica

databases

automatically

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 50

Notifying

replica

databases

manually

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 50

Setting

the

maximum

number

of

notification

threads

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 50

Setting

the

notification

wait

time

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 50

Administrating

servers

and

database

notification

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 51

Appendix

A.

Differences

between

the

C

and

Java

administration

API

.

.

.

.

.

.

.

.

. 53

Security

context

management

differences

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 53

Response

processing

differences

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 53

Additional

differences

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 53

Appendix

B.

Deprecated

Java

classes

and

methods

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 55

Appendix

C.

User

registry

differences

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 57

iv

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Appendix

D.

Administration

API

equivalents

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 61

Appendix

E.

Notices

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 87

Trademarks

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 88

Glossary

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 91

Index

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 97

Contents

v

vi

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Preface

IBM®

Tivoli®

Access

Manager

(Tivoli

Access

Manager)

is

the

base

software

that

is

required

to

run

applications

in

the

IBM

Tivoli

Access

Manager

product

suite.

It

enables

the

integration

of

IBM

Tivoli

Access

Manager

applications

that

provide

a

wide

range

of

authorization

and

management

solutions.

Sold

as

an

integrated

solution,

these

products

provide

an

access

control

management

solution

that

centralizes

network

and

application

security

policy

for

e-business

applications.

Note:

IBM

Tivoli

Access

Manager

is

the

new

name

of

the

previously

released

software

entitled

Tivoli

SecureWay®

Policy

Director.

Also,

for

users

familiar

with

the

Tivoli

SecureWay

Policy

Director

software

and

documentation,

the

management

server

is

now

referred

to

as

the

policy

server.

This

reference

contains

information

about

how

to

use

Tivoli

Access

Manager

administration

Java™

classes

and

methods

to

enable

an

application

to

programmatically

perform

Tivoli

Access

Manager

administration

tasks.

This

document

describes

the

Java

implementation

of

the

Tivoli

Access

Manager

administration

API.

See

the

IBM

Tivoli

Access

Manager

for

e-business

Administration

C

API

Developer

Reference

for

information

regarding

the

C

implementation

of

these

APIs.

Information

on

the

pdadmin

command

line

interface

(CLI)

can

be

found

in

the

IBM

Tivoli

Access

Manager

for

e-business

Command

Reference.

Who

should

read

this

book

This

reference

is

for

application

programmers

implementing

programs

in

the

Java

programming

language

to

administer

the

users

and

objects

associated

with

the

IBM

Tivoli

Access

Manager

product.

Readers

should

be

familiar

with

the

following:

v

PC

and

UNIX®

operating

systems

v

Database

architecture

and

concepts

v

Security

management

v

Internet

protocols,

including

HTTP,

TCP/IP,

File

Transfer

Protocol

(FTP),

and

Telnet

v

The

user

registry

that

Tivoli

Access

Manager

is

configured

to

use

v

Lightweight

Directory

Access

Protocol

(LDAP)

and

directory

services,

if

used

by

your

user

registry

v

Authentication

and

authorization

If

you

are

enabling

Secure

Sockets

Layer

(SSL)

communication,

you

also

should

be

familiar

with

SSL

protocol,

key

exchange

(public

and

private),

digital

signatures,

cryptographic

algorithms,

and

certificate

authorities.

What

this

book

contains

This

reference

contains

the

following

chapters

and

appendixes:

v

Chapter

1,

“Introducing

the

administration

API,”

on

page

1

©

Copyright

IBM

Corp.

2002,

2003

vii

Provides

an

overview

of

the

administration

API

and

its

components.

It

also

covers

building

applications

with

the

API

and

deploying

an

administration

API

program.

v

Chapter

2,

“Using

the

administration

API,”

on

page

9

Each

application

that

uses

the

administration

API

must

perform

certain

tasks

necessary

for

API

initialization,

shut

down,

and

error

handling.

This

chapter

describes

the

supported

methods

for

establishing

security

contexts,

creating

objects,

setting

object

values,

reading

object

values,

listing

object

information,

deleting

objects,

handling

errors,

and

shutting

down.

v

Chapter

3,

“Administering

users

and

groups,”

on

page

19

The

administration

API

provides

a

collection

of

methods

for

administering

Tivoli

Access

Manager

users

and

groups.

This

chapter

describes

the

tasks

that

those

methods

accomplish.

It

describes

the

supported

methods

for

administering

users,

user

accounts,

user

passwords,

groups,

group

attributes,

and

the

policies

associated

with

users.

v

Chapter

4,

“Administering

protected

objects

and

protected

object

spaces,”

on

page

25

This

chapter

describes

the

administration

API

methods

that

are

used

to

administer

protected

object

spaces

and

protected

objects.

It

describes

the

supported

methods

for

administering

protected

object

spaces,

protected

objects,

and

protected

object

attributes.

v

Chapter

5,

“Administering

access

control,”

on

page

29

This

chapter

describes

the

administration

API

methods

that

are

used

to

administer

access

control.

It

describes

the

supported

methods

for

administering

access

control

lists,

access

control

list

entries,

and

access

control

list

extended

attributes.

v

Chapter

6,

“Administering

protected

object

policies,”

on

page

35

This

chapter

describes

the

administration

API

methods

that

are

used

to

create,

modify,

examine,

and

delete

protected

object

policies.

It

also

discusses

attaching

or

detaching

protected

objects

from

protected

object

policies.

It

describes

the

supported

functions

for

administering

protected

object

policy

objects,

protected

object

policy

settings,

and

protected

object

policy

extended

attributes.

v

Chapter

7,

“Administering

authorization

rules,”

on

page

39

This

chapter

provides

instructions

for

using

the

administration

API

to

create,

delete,

list,

and

modify

authorization

rules.

v

Chapter

8,

“Administering

single

signon

resources,”

on

page

41

This

chapter

provides

instructions

for

using

the

administration

API

to

create,

modify,

or

delete

web

resources,

resource

groups,

and

resource

credentials.

v

Chapter

9,

“Administering

domains,”

on

page

45

This

chapter

provides

instructions

for

using

the

administration

API

to

create,

delete,

list,

and

modify

Tivoli

Access

Manager

policy

server

domains.

v

Chapter

11,

“Administering

servers,”

on

page

49

This

chapter

provides

information

about

getting

and

performing

administration

tasks

and

notifying

the

replica

database

when

the

master

authorization

database

is

updated.

v

Chapter

10,

“Configuring

application

servers,”

on

page

47

This

chapter

provides

instructions

for

using

the

administration

API

to

configure

servers,

modify

server

configurations,

administer

replicas,

and

perform

certificate

maintenance.

v

Appendix

A,

“Differences

between

the

C

and

Java

administration

API,”

on

page

53

viii

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

This

appendix

outlines

the

differences

between

the

administration

C

API

functions

and

the

administration

Java

classes

and

methods.

v

Appendix

B,

“Deprecated

Java

classes

and

methods,”

on

page

55

This

appendix

provides

a

list

of

the

Java

classes

and

methods

that

have

been

deprecated

in

this

version

of

Tivoli

Access

Manager.

v

Appendix

C,

“User

registry

differences,”

on

page

57

This

appendix

outlines

the

differences

in

behavior

of

the

classes

and

methods

based

on

the

user

registry

being

used

by

Tivoli

Access

Manager.

v

Appendix

D,

“Administration

API

equivalents,”

on

page

61

This

appendix

shows

the

mapping

that

exists

between

the

Administration

C

APIs,

the

Administration

Java

classes

and

methods,

and

the

command

line

interface

(CLI).

v

Appendix

E,

“Notices,”

on

page

87

This

appendix

provides

copyright,

legal,

and

trademark

information.

Publications

Review

the

descriptions

of

the

Tivoli

Access

Manager

library,

the

prerequisite

publications,

and

the

related

publications

to

determine

which

publications

you

might

find

helpful.

After

you

determine

the

publications

you

need,

refer

to

the

instructions

for

accessing

publications

online.

Additional

information

about

the

IBM

Tivoli

Access

Manager

for

e-business

product

itself

can

be

found

at:

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

The

Tivoli

Access

Manager

library

is

organized

into

the

following

categories:

v

“Release

information”

v

“Base

information”

v

“Web

security

information”

on

page

x

v

“Developer

references”

on

page

x

v

“Technical

supplements”

on

page

xi

Release

information

v

IBM

Tivoli

Access

Manager

for

e-business

Read

This

First

(GI11-4155-00)

Provides

information

for

installing

and

getting

started

using

Tivoli

Access

Manager.

v

IBM

Tivoli

Access

Manager

for

e-business

Release

Notes

(GI11-4156-00)

Provides

late-breaking

information,

such

as

software

limitations,

workarounds,

and

documentation

updates.

Base

information

v

IBM

Tivoli

Access

Manager

Base

Installation

Guide

(SC32-1362-00)

Explains

how

to

install

and

configure

the

Tivoli

Access

Manager

base

software,

including

the

Web

Portal

Manager

interface.

This

book

is

a

subset

of

IBM

Tivoli

Access

Manager

for

e-business

Web

Security

Installation

Guide

and

is

intended

for

use

with

other

Tivoli

Access

Manager

products,

such

as

IBM

Tivoli

Access

Manager

for

Business

Integration

and

IBM

Tivoli

Access

Manager

for

Operating

Systems.

Preface

ix

v

IBM

Tivoli

Access

Manager

Base

Administration

Guide

(SC32-1360-00)

Describes

the

concepts

and

procedures

for

using

Tivoli

Access

Manager

services.

Provides

instructions

for

performing

tasks

from

the

Web

Portal

Manager

interface

and

by

using

the

pdadmin

command.

Web

security

information

v

IBM

Tivoli

Access

Manager

for

e-business

Web

Security

Installation

Guide

(SC32-1361-00)

Provides

installation,

configuration,

and

removal

instructions

for

the

Tivoli

Access

Manager

base

software

as

well

as

the

Web

Security

components.

This

book

is

a

superset

of

IBM

Tivoli

Access

Manager

Base

Installation

Guide.

v

IBM

Tivoli

Access

Manager

Upgrade

Guide

(SC32-1369-00)

Explains

how

to

upgrade

from

Tivoli

SecureWay

Policy

Director

Version

3.8

or

previous

versions

of

Tivoli

Access

Manager

to

Tivoli

Access

Manager

Version

5.1.

v

IBM

Tivoli

Access

Manager

for

e-business

WebSEAL

Administration

Guide

(SC32-1359-00)

Provides

background

material,

administrative

procedures,

and

technical

reference

information

for

using

WebSEAL

to

manage

the

resources

of

your

secure

Web

domain.

v

IBM

Tivoli

Access

Manager

for

e-business

IBM

WebSphere

Application

Server

Integration

Guide

(SC32-1368-00)

Provides

installation,

removal,

and

administration

instructions

for

integrating

Tivoli

Access

Manager

with

IBM

WebSphere®

Application

Server.

v

IBM

Tivoli

Access

Manager

for

e-business

IBM

WebSphere

Edge

Server

Integration

Guide

(SC32-1367-00)

Provides

installation,

removal,

and

administration

instructions

for

integrating

Tivoli

Access

Manager

with

the

IBM

WebSphere

Edge

Server

application.

v

IBM

Tivoli

Access

Manager

for

e-business

Plug-in

for

Web

Servers

Integration

Guide

(SC32-1365-00)

Provides

installation

instructions,

administration

procedures,

and

technical

reference

information

for

securing

your

Web

domain

using

the

plug-in

for

Web

servers.

v

IBM

Tivoli

Access

Manager

for

e-business

BEA

WebLogic

Server

Integration

Guide

(SC32-1366-00)

Provides

installation,

removal,

and

administration

instructions

for

integrating

Tivoli

Access

Manager

with

BEA

WebLogic

Server.

v

IBM

Tivoli

Access

Manager

for

e-business

IBM

Tivoli

Identity

Manager

Provisioning

Fast

Start

Guide

(SC32-1364-00)

Provides

an

overview

of

the

tasks

related

to

integrating

Tivoli

Access

Manager

and

Tivoli

Identity

Manager

and

explains

how

to

use

and

install

the

Provisioning

Fast

Start

collection.

Developer

references

v

IBM

Tivoli

Access

Manager

for

e-business

Authorization

C

API

Developer

Reference

(SC32-1355-00)

Provides

reference

material

that

describes

how

to

use

the

Tivoli

Access

Manager

authorization

C

API

and

the

Tivoli

Access

Manager

service

plug-in

interface

to

add

Tivoli

Access

Manager

security

to

applications.

x

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

v

IBM

Tivoli

Access

Manager

for

e-business

Authorization

Java

Classes

Developer

Reference

(SC32-1350-00)

Provides

reference

information

for

using

the

Java™

language

implementation

of

the

authorization

API

to

enable

an

application

to

use

Tivoli

Access

Manager

security.

v

IBM

Tivoli

Access

Manager

for

e-business

Administration

C

API

Developer

Reference

(SC32-1357-00)

Provides

reference

information

about

using

the

administration

API

to

enable

an

application

to

perform

Tivoli

Access

Manager

administration

tasks.

This

document

describes

the

C

implementation

of

the

administration

API.

v

IBM

Tivoli

Access

Manager

for

e-business

Administration

Java

Classes

Developer

Reference

(SC32-1356-00)

Provides

reference

information

for

using

the

Java

language

implementation

of

the

administration

API

to

enable

an

application

to

perform

Tivoli

Access

Manager

administration

tasks.

v

IBM

Tivoli

Access

Manager

for

e-business

Web

Security

Developer

Reference

(SC32-1358-00)

Provides

administration

and

programming

information

for

the

cross-domain

authentication

service

(CDAS),

the

cross-domain

mapping

framework

(CDMF),

and

the

password

strength

module.

Technical

supplements

v

IBM

Tivoli

Access

Manager

for

e-business

Command

Reference

(SC32-1354-00)

Provides

information

about

the

command

line

utilities

and

scripts

provided

with

Tivoli

Access

Manager.

v

IBM

Tivoli

Access

Manager

Error

Message

Reference

(SC32-1353-00)

Provides

explanations

and

recommended

actions

for

the

messages

produced

by

Tivoli

Access

Manager.

v

IBM

Tivoli

Access

Manager

for

e-business

Problem

Determination

Guide

(SC32-1352-00)

Provides

problem

determination

information

for

Tivoli

Access

Manager.

v

IBM

Tivoli

Access

Manager

for

e-business

Performance

Tuning

Guide

(SC32-1351-00)

Provides

performance

tuning

information

for

an

environment

consisting

of

Tivoli

Access

Manager

with

the

IBM

Tivoli

Directory

server

as

the

user

registry.

Related

publications

This

section

lists

publications

related

to

the

Tivoli

Access

Manager

library.

The

Tivoli

Software

Library

provides

a

variety

of

Tivoli

publications

such

as

white

papers,

datasheets,

demonstrations,

redbooks,

and

announcement

letters.

The

Tivoli

Software

Library

is

available

on

the

Web

at:

http://www.ibm.com/software/tivoli/library/

The

Tivoli

Software

Glossary

includes

definitions

for

many

of

the

technical

terms

related

to

Tivoli

software.

The

Tivoli

Software

Glossary

is

available,

in

English

only,

from

the

Glossary

link

on

the

left

side

of

the

Tivoli

Software

Library

Web

page

http://www.ibm.com/software/tivoli/library/

IBM

Global

Security

Kit

Tivoli

Access

Manager

provides

data

encryption

through

the

use

of

the

IBM

Global

Security

Kit

(GSKit)

Version

7.0.

GSKit

is

included

on

the

IBM

Tivoli

Access

Manager

Base

CD

for

your

particular

platform,

as

well

as

on

the

IBM

Tivoli

Access

Manager

Preface

xi

Web

Security

CDs,

the

IBM

Tivoli

Access

Manager

Web

Administration

Interfaces

CDs,

and

the

IBM

Tivoli

Access

Manager

Directory

Server

CDs.

The

GSKit

package

provides

the

iKeyman

key

management

utility,

gsk7ikm,

which

is

used

to

create

key

databases,

public-private

key

pairs,

and

certificate

requests.

The

following

document

is

available

on

the

Tivoli

Information

Center

Web

site

in

the

same

section

as

the

IBM

Tivoli

Access

Manager

product

documentation:

v

IBM

Global

Security

Kit

Secure

Sockets

Layer

and

iKeyman

User’s

Guide

(SC32-1363-00)

Provides

information

for

network

or

system

security

administrators

who

plan

to

enable

SSL

communication

in

their

Tivoli

Access

Manager

environment.

IBM

Tivoli

Directory

Server

IBM

Tivoli

Directory

Server,

Version

5.2,

is

included

on

the

IBM

Tivoli

Access

Manager

Directory

Server

CD

for

the

desired

operating

system.

Note:

IBM

Tivoli

Directory

Server

is

the

new

name

for

the

previously

released

software

known

as:

v

IBM

Directory

Server

(Version

4.1

and

Version

5.1)

v

IBM

SecureWay

Directory

Server

(Version

3.2.2)

IBM

Directory

Server

Version

4.1,

IBM

Directory

Server

Version

5.1,

and

IBM

Tivoli

Directory

Server

Version

5.2

are

all

supported

by

IBM

Tivoli

Access

Manager

Version

5.1.

Additional

information

about

IBM

Tivoli

Directory

Server

can

be

found

at:

http://www.ibm.com/software/network/directory/library/

IBM

DB2

Universal

Database

IBM

DB2®

Universal

Database™

Enterprise

Server

Edition,

Version

8.1

is

provided

on

the

IBM

Tivoli

Access

Manager

Directory

Server

CD

and

is

installed

with

the

IBM

Tivoli

Directory

Server

software.

DB2

is

required

when

using

IBM

Tivoli

Directory

Server,

z/OS™,

or

OS/390®

LDAP

servers

as

the

user

registry

for

Tivoli

Access

Manager.

Additional

information

about

DB2

can

be

found

at:

http://www.ibm.com/software/data/db2/

IBM

WebSphere

Application

Server

IBM

WebSphere

Application

Server,

Advanced

Single

Server

Edition

5.0,

is

included

on

the

IBM

Tivoli

Access

Manager

Web

Administration

Interfaces

CD

for

the

desired

operating

system.

WebSphere

Application

Server

enables

the

support

of

both

the

Web

Portal

Manager

interface,

which

is

used

to

administer

Tivoli

Access

Manager,

and

the

Web

Administration

Tool,

which

is

used

to

administer

IBM

Tivoli

Directory

Server.

IBM

WebSphere

Application

Server

Fix

Pack

2

is

also

required

by

Tivoli

Access

Manager

and

is

provided

on

the

IBM

Tivoli

Access

Manager

WebSphere

Fix

Pack

CD.

Additional

information

about

IBM

WebSphere

Application

Server

can

be

found

at:

http://www.ibm.com/software/webservers/appserv/infocenter.html

xii

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

IBM

Tivoli

Access

Manager

for

Business

Integration

IBM

Tivoli

Access

Manager

for

Business

Integration,

available

as

a

separately

orderable

product,

provides

a

security

solution

for

IBM

MQSeries®,

Version

5.2,

and

IBM

WebSphere®

MQ

for

Version

5.3

messages.

IBM

Tivoli

Access

Manager

for

Business

Integration

allows

WebSphere

MQSeries

applications

to

send

data

with

privacy

and

integrity

by

using

keys

associated

with

sending

and

receiving

applications.

Like

WebSEAL

and

IBM

Tivoli

Access

Manager

for

Operating

Systems,

IBM

Tivoli

Access

Manager

for

Business

Integration,

is

one

of

the

resource

managers

that

use

the

services

of

IBM

Tivoli

Access

Manager.

Additional

information

about

IBM

Tivoli

Access

Manager

for

Business

Integration

can

be

found

at:

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

The

following

documents

associated

with

IBM

Tivoli

Access

Manager

for

Business

Integration

Version

5.1

are

available

on

the

Tivoli

Information

Center

Web

site:

v

IBM

Tivoli

Access

Manager

for

Business

Integration

Administration

Guide

(SC23-4831-01)

v

IBM

Tivoli

Access

Manager

for

Business

Integration

Problem

Determination

Guide

(GC23-1328-00)

v

IBM

Tivoli

Access

Manager

for

Business

Integration

Release

Notes

(GI11-0957-01)

v

IBM

Tivoli

Access

Manager

for

Business

Integration

Read

This

First

(GI11-4202-00)

IBM

Tivoli

Access

Manager

for

WebSphere

Business

Integration

Brokers

IBM

Tivoli

Access

Manager

for

WebSphere

Business

Integration

Brokers,

available

as

part

of

IBM

Tivoli

Access

Manager

for

Business

Integration,

provides

a

security

solution

for

WebSphere

Business

Integration

Message

Broker,

Version

5.0

and

WebSphere

Business

Integration

Event

Broker,

Version

5.0.

IBM

Tivoli

Access

Manager

for

WebSphere

Business

Integration

Brokers

operates

in

conjunction

with

Tivoli

Access

Manager

to

secure

JMS

publish/subscribe

applications

by

providing

password

and

credentials-based

authentication,

centrally-defined

authorization,

and

auditing

services.

Additional

information

about

IBM

Tivoli

Access

Manager

for

WebSphere

Integration

Brokers

can

be

found

at:

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

The

following

documents

associated

with

IBM

Tivoli

Access

Manager

for

WebSphere

Integration

Brokers,

Version

5.1

are

available

on

the

Tivoli

Information

Center

Web

site:

v

IBM

Tivoli

Access

Manager

for

WebSphere

Business

Integration

Brokers

Administration

Guide

(SC32-1347-00)

v

IBM

Tivoli

Access

Manager

for

WebSphere

Business

Integration

Brokers

Release

Notes

(GI11-4154-00)

v

IBM

Tivoli

Access

Manager

for

Business

Integration

Read

This

First

(GI11-4202-00)

IBM

Tivoli

Access

Manager

for

Operating

Systems

IBM

Tivoli

Access

Manager

for

Operating

Systems,

available

as

a

separately

orderable

product,

provides

a

layer

of

authorization

policy

enforcement

on

UNIX

systems

in

addition

to

that

provided

by

the

native

operating

system.

IBM

Tivoli

Preface

xiii

Access

Manager

for

Operating

Systems,

like

WebSEAL

and

IBM

Tivoli

Access

Manager

for

Business

Integration,

is

one

of

the

resource

managers

that

use

the

services

of

IBM

Tivoli

Access

Manager.

Additional

information

about

IBM

Tivoli

Access

Manager

for

Operating

Systems

can

be

found

at:

http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

The

following

documents

associated

with

IBM

Tivoli

Access

Manager

for

Operating

Systems

Version

5.1

are

available

on

the

Tivoli

Information

Center

Web

site:

v

IBM

Tivoli

Access

Manager

for

Operating

Systems

Installation

Guide

(SC23-4829-00)

v

IBM

Tivoli

Access

Manager

for

Operating

Systems

Administration

Guide

(SC23-4827-00)

v

IBM

Tivoli

Access

Manager

for

Operating

Systems

Problem

Determination

Guide

(SC23-4828-00)

v

IBM

Tivoli

Access

Manager

for

Operating

Systems

Release

Notes

(GI11-0951-00)

v

IBM

Tivoli

Access

Manager

for

Operating

Systems

Read

Me

First

(GI11-0949-00)

IBM

Tivoli

Identity

Manager

IBM

Tivoli

Identity

Manager

Version

4.5,

available

as

a

separately

orderable

product,

enables

you

to

centrally

manage

users

(such

as

user

IDs

and

passwords)

and

provisioning

(that

is

providing

or

revoking

access

to

applications,

resources,

or

operating

systems.)

Tivoli

Identity

Manager

can

be

integrated

with

Tivoli

Access

Manager

through

the

use

of

the

Tivoli

Access

Manager

Agent.

Contact

your

IBM

account

representative

for

more

information

about

purchasing

the

Agent.

Additional

information

about

IBM

Tivoli

Identity

Manager

can

be

found

at:

http://www.ibm.com/software/tivoli/products/identity-mgr/

Accessing

publications

online

The

publications

for

this

product

are

available

online

in

Portable

Document

Format

(PDF)

or

Hypertext

Markup

Language

(HTML)

format,

or

both

in

the

Tivoli

software

library:

http://www.ibm.com/software/tivoli/library

To

locate

product

publications

in

the

library,

click

the

Product

manuals

link

on

the

left

side

of

the

library

page.

Then,

locate

and

click

the

name

of

the

product

on

the

Tivoli

software

information

center

page.

Product

publications

include

release

notes,

installation

guides,

user’s

guides,

administrator’s

guides,

and

developer’s

references.

Note:

To

ensure

proper

printing

of

PDF

publications,

select

the

Fit

to

page

check

box

in

the

Adobe

Acrobat

Print

window

(which

is

available

when

you

click

File

Print).

xiv

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Accessibility

Accessibility

features

help

a

user

who

has

a

physical

disability,

such

as

restricted

mobility

or

limited

vision,

to

use

software

products

successfully.

With

this

product,

you

can

use

assistive

technologies

to

hear

and

navigate

the

interface.

You

also

can

use

the

keyboard

instead

of

the

mouse

to

operate

all

features

of

the

graphical

user

interface.

Contacting

software

support

Before

contacting

IBM

Tivoli

Software

Support

with

a

problem,

refer

to

the

IBM

Tivoli

Software

Support

site

by

clicking

the

Tivoli

support

link

at

the

following

Web

site:

http://www.ibm.com/software/support/

If

you

need

additional

help,

contact

software

support

by

using

the

methods

described

in

the

IBM

Software

Support

Guide

at

the

following

Web

site:

http://techsupport.services.ibm.com/guides/handbook.html

The

guide

provides

the

following

information:

v

Registration

and

eligibility

requirements

for

receiving

support

v

Telephone

numbers,

depending

on

the

country

in

which

you

are

located

v

A

list

of

information

you

should

gather

before

contacting

customer

support

Conventions

used

in

this

book

This

reference

uses

several

conventions

for

special

terms

and

actions

and

for

operating

system-dependent

commands

and

paths.

Typeface

conventions

The

following

typeface

conventions

are

used

in

this

reference:

Bold

Lowercase

commands

or

mixed

case

commands

that

are

difficult

to

distinguish

from

surrounding

text,

keywords,

parameters,

options,

names

of

Java

classes,

and

objects

are

in

bold.

Italic

Variables,

titles

of

publications,

and

special

words

or

phrases

that

are

emphasized

are

in

italic.

Monospace

Code

examples,

command

lines,

screen

output,

file

and

directory

names

that

are

difficult

to

distinguish

from

surrounding

text,

system

messages,

text

that

the

user

must

type,

and

values

for

arguments

or

command

options

are

in

monospace.

User

registry

differences

Tivoli

Access

Manager

supports

a

number

of

different

user

registries.

In

most

cases,

the

behavior

of

Tivoli

Access

Manager

is

the

same

regardless

of

what

user

registry

is

in

use.

However,

there

are

several

cases

where

the

processing

of

a

given

method

differs

based

on

what

user

registry

is

being

used.

A

note

similar

to

the

following

highlights

these

differences:

User

registry

difference:

This

text

would

describe

the

different

behavior

based

on

the

user

registry

in

use.

Preface

xv

See

Appendix

C,

“User

registry

differences,”

on

page

57

for

a

complete

list

of

known

differences.

Operating

system

differences

This

book

uses

the

UNIX

convention

for

specifying

environment

variables

and

for

directory

notation.

When

using

the

Windows

command

line,

replace

$variable

with

%variable%

for

environment

variables

and

replace

each

forward

slash

(/)

with

a

backslash

(\)

in

directory

paths.

If

you

are

using

the

bash

shell

on

a

Windows

system,

you

can

use

the

UNIX

conventions.

xvi

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Chapter

1.

Introducing

the

administration

API

The

IBM

Tivoli

Access

Manager

(Tivoli

Access

Manager)

Java

runtime

component

includes

the

Java

language

version

of

the

Tivoli

Access

Manager

administration

API.

The

Tivoli

Access

Manager

Java

runtime

component

provides

a

set

of

Java

classes

and

methods

for

the

administration

of

selected

Tivoli

Access

Manager

administration

objects.

These

classes

and

methods

provide

a

way

for

applications

to

administer

users,

groups,

protected

objects,

and

access

control

lists.

You

can

use

the

Tivoli

Access

Manager

application

developer

kit

(ADK)

to

enable

your

application

to

programmatically

administer

Tivoli

Access

Manager

administration

objects.

This

chapter

contains

the

following

topics:

v

“Administration

Java

classes

overview”

v

“Java

administration

API

components”

on

page

2

v

“Building

Java

applications

with

the

administration

API”

on

page

3

v

“Java

administration

API

example

program”

on

page

5

v

“Deploying

a

Java

administration

API

application”

on

page

5

v

“Gathering

problem

determination

information”

on

page

5

Note:

If

you

are

familiar

with

the

C

language

interface

to

the

Tivoli

Access

Manager

administration

API,

see

Appendix

A,

“Differences

between

the

C

and

Java

administration

API,”

on

page

53

for

a

general

overview

of

differences.

A

mapping

of

C

APIs

to

Java

classes

and

methods

can

be

found

in

Appendix

D,

“Administration

API

equivalents,”

on

page

61.

Administration

Java

classes

overview

The

administration

Java

classes

can

be

used

to

administer

the

following

types

of

objects:

v

Policies

v

Users

v

Groups

v

Access

control

lists

(ACLs)

v

Extended

ACL

actions

v

Protected

object

policies

(POPs)

v

Protected

objects

v

Protected

object

spaces

v

Authorization

rules

v

Domains

v

Web,

or

single

signon

(SSO),

resources

v

Web

resource

groups

v

Resource

credentials

A

set

of

Java

classes

are

provided

for

creating,

modifying,

examining,

listing,

and

deleting

each

of

the

preceding

object

types.

The

classes

include

the

methods

necessary

for

manipulating

each

of

these

administration

objects.

These

©

Copyright

IBM

Corp.

2002,

2003

1

administration

Java

classes

are

packaged

in

the

PD.jar

file

that

is

installed

as

part

of

the

Tivoli

Access

Manager

Java

runtime

environment

component.

Applications

using

the

Java

runtime

environment

provided

with

Tivoli

Access

Manager

automatically

have

access

to

these

classes

and

methods.

The

administration

API

Java

classes

communicate

directly

with

the

Tivoli

Access

Manager

policy

server

component.

The

API

establishes

an

authenticated,

Secure

Sockets

Layer

(SSL)

session

with

the

Tivoli

Access

Manager

policy

server

process.

After

the

SSL

session

is

established,

the

classes

can

send

administration

requests

to

the

policy

server.

The

Tivoli

Access

Manager

policy

server

component

services

these

requests

in

the

same

manner

that

it

would

service

any

other

incoming

requests.

System

administrators

also

can

use

the

pdadmin

command

line

interface

to

accomplish

Tivoli

Access

Manager

administration

tasks.

The

Java

administration

classes

and

methods

map

closely

to

these

commands.

Appendix

D,

“Administration

API

equivalents,”

on

page

61

describes

the

commands

that

match

Java

administration

API

methods.

Some

Java

methods

do

not

have

a

pdadmin

command

line

equivalent.

Note:

The

svrsslcfg

command

line

interface

should

not

be

used

with

Java

applications.

Use

the

SvrSslCfg

Java

class

to

provide

this

functionality.

Other

ways

to

manipulate

administration

objects

In

addition

to

using

the

Java

administration

APIs

to

manipulate

these

objects,

you

also

can

use

the

following

methods:

pdadmin

command

line

interface

(CLI)

The

pdadmin

command

line

interface

is

explained

in

the

IBM

Tivoli

Access

Manager

for

e-business

Command

Reference.

Administration

C

API

The

administration

C

API

provides

support

for

these

administration

objects.

Refer

to

the

IBM

Tivoli

Access

Manager

for

e-business

Administration

C

API

Developer

Reference

for

details.

Java

administration

API

components

The

administration

API

consists

of

the

following

components:

v

The

administration

Java

classes

v

Javadoc

information

for

the

associated

Java

classes

and

methods

v

A

demonstration

application

The

administration

API

Java

classes

are

distributed

in

the

Tivoli

Access

Manager

Java

runtime

component

for

each

platform.

The

remainder

of

the

administration

API

components

are

distributed

in

the

Tivoli

Access

Manager

Application

Developer

Kit

component.

Application

development

kit

The

Javadoc

information

associated

with

the

administration

Java

classes

and

methods

as

well

as

examples

are

provided

as

part

of

the

Tivoli

Access

Manager

application

developer

kit

(ADK)

component

package.

2

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Table

1

lists

the

files

that

are

installed

as

part

of

the

Tivoli

Access

Manager

ADK

component.

The

PD.jar

file,

even

though

it

is

installed

as

part

of

the

Tivoli

Access

Manager

Java

runtime

component,

is

listed

in

the

table

for

completeness.

Table

1.

Administration

API

application

development

kit

files

Directory

Files

File

Description

AM_BASE/nls/javadocs

/pdjrte/index.html

index.html

(and

many

others)

Javadoc

HTML

documentation

for

the

Java

classes

and

methods

provided

with

the

Tivoli

Access

Manager

Java

runtime

component.

AM_BASE/example/

pdadminapi_demo/java

README.PDAdminDemo

PDAdminDemo.java

PDAdminDemo.class

PDAdminDemo$ConsoleEraser.class

A

demonstration

program

is

provided

which

illustrates

the

use

of

the

administration

Java

APIs.

You

can

copy

the

demonstration

program

to

any

directory.

The

readme

file

explains

how

to

run

and

recompile

the

demonstration

program.

JAVA_HOME/lib/ext

PD.jar

The

Java

Archive

(JAR)

file

containing

the

classes

and

methods

associated

with

the

administration

APIs.

Note:

When

you

use

the

pdjrtecfg

command

line

interface

to

configure

the

Tivoli

Access

Manager

Java

runtime

component

to

a

particular

JRE,

this

archive

file

is

copied

to

JAVA_HOME/lib/ext.

Therefore,

there

is

no

need

to

modify

the

CLASSPATH

in

your

environment

to

access

the

classes

and

methods

defined

in

this

archive

file.

Building

Java

applications

with

the

administration

API

To

develop

Java

applications

that

use

the

Tivoli

Access

Manager

administration

API,

you

must

install

and

configure

the

required

software.

IBM

Tivoli

Access

Manager

software

requirements

You

must

install

and

configure

an

Tivoli

Access

Manager

secure

domain.

If

you

do

not

have

an

Tivoli

Access

Manager

secure

domain

installed,

install

one

before

beginning

application

development.

The

minimum

installation

consists

of

a

single

system

with

the

following

Tivoli

Access

Manager

components

installed:

v

Tivoli

Access

Manager

runtime

environment

(see

Note

1

on

page

4)

v

Tivoli

Access

Manager

Java

runtime

component

v

Tivoli

Access

Manager

policy

server

v

Tivoli

Access

Manager

ADK

If

you

already

have

an

Tivoli

Access

Manager

secure

domain

installed

and

want

to

add

a

development

system

to

the

domain,

the

minimum

Tivoli

Access

Manager

installation

consists

of

the

following

components:

v

Tivoli

Access

Manager

runtime

environment

(see

Note

1

on

page

4)

v

Tivoli

Access

Manager

Java

runtime

component

v

Tivoli

Access

Manager

ADK

For

Tivoli

Access

Manager

installation

instructions,

refer

to

the

section

of

the

IBM

Tivoli

Access

Manager

Base

Installation

Guide

for

your

operating

system

platform.

Chapter

1.

Introducing

the

administration

API

3

Notes:

1.

The

Tivoli

Access

Manager

runtime

environment

component

is

not

needed

for

developing

or

deploying

an

Tivoli

Access

Manager

Java

application.

The

prerequisite

checking

for

the

Tivoli

Access

Manager

ADK

component

is

in

error

and

erroneously

requires

that

the

Tivoli

Access

Manager

runtime

component

be

installed,

even

if

you

are

developing

only

Java

applications

and

simply

need

the

Javadoc

information

and

the

example

files

from

the

ADK

component.

To

save

disk

space,

you

can

copy

the

Javadoc

HTML

information,

consisting

of

the

entire

AM_BASE/nls/javadocs

directory

tree,

along

with

the

sample

Java

program,

in

the

AM_BASE/example

directory

tree,

to

another

location

on

your

development

system

and

then

uninstall

the

Tivoli

Access

Manager

ADK

and

runtime

components.

2.

If

you

intend

to

use

the

Tivoli

Access

Manager

runtime

environment

for

an

administration

C

API

application,

you

also

must

install

the

IBM®

Directory

client

if

an

LDAP

or

Lotus

Domino

server

is

being

used

as

the

user

registry

in

the

secure

domain.

Configuring

the

Java

runtime

component

to

a

particular

Java

runtime

environment

Configure

the

Tivoli

Access

Manager

Java

runtime

component

to

use

the

proper

JRE

on

the

system

by

using

the

pdjrtecfg

command.

The

Tivoli

Access

Manager

Java

runtime

component

can

be

configured

to

several

different

JREs

on

the

same

system,

if

desired.

See

the

IBM

Tivoli

Access

Manager

Base

Installation

Guide

for

details.

Configuring

to

use

the

Java

administration

classes

The

com.tivoli.pd.jcfg.SvrSslCfg

Java

class

must

be

used

to

configure

the

administration

Java

APIs.

See

the

IBM

Tivoli

Access

Manager

for

e-business

Authorization

Java

Classes

Developer

Reference

for

details

on

the

SvrSslCfg

utility.

Notes:

1.

Do

not

use

the

svrsslcfg

command

line

interface

to

create

configuration

files

that

are

to

be

used

with

Java

applications.

2.

The

com.tivoli.mts.SvrSslCfg

class

provided

in

previous

versions

of

IBM

Tivoli

Access

Manager

and

IBM

SecureWay

Policy

Director

has

been

deprecated.

Use

the

new

com.tivoli.pd.jcfg.SvrSslCfg

class

instead.

Security

requirements

When

running

a

Java

application

in

the

context

of

a

Java

security

manager,

the

application

must

have

the

proper

Java

permissions

to

use

the

administration

Java

APIs.

If

the

application

is

not

installed

as

a

Java

extension

in

the

JAVA_HOME/lib/ext

directory,

an

entry

must

be

added

to

the

JAVA_HOME/lib/security/java.policy

file.

For

example,

to

grant

Java

applications

located

in

the

/sb/pdsb/export/classes

directory,

and

all

its

subdirectories,

the

necessary

Java

permissions

to

use

authorization

Java

classes

and

methods,

add

a

statement

similar

to

the

following

to

the

java.policy

file:

4

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Invoke

administration

Java

classes

and

methods

from

a

privileged

block,

doPrivileged(),

to

alleviate

the

need

for

the

application’s

callers

to

have

this

Java

permission

as

well.

The

PD.jar

file

is

signed,

but

verification

of

the

signing

of

JAR

files

is

not

supported

in

this

version

of

Tivoli

Access

Manager.

Java

administration

API

example

program

The

Tivoli

Access

Manager

ADK

includes

the

complete

Java

source

code

for

an

example

program

that

demonstrates

the

use

of

the

administration

Java

classes.

The

example

program

demonstrates

how

to

perform

the

following

tasks:

v

Initialize

an

administration

API

security

context

v

Display

an

error

message

v

Create

a

new

Tivoli

Access

Manager

user

v

Set

a

user

account

to

be

valid

v

Create

a

new

group

v

Add

the

new

user

to

the

group

v

Delete

a

group

v

Delete

a

user

Deploying

a

Java

administration

API

application

Java

applications

that

have

been

developed

using

the

Tivoli

Access

Manager

administration

API

must

be

run

on

systems

that

are

configured

as

part

of

an

Tivoli

Access

Manager

secure

domain.

To

run

an

administration

Java

application,

you

must

have

installed

the

Tivoli

Access

Manager

Java

runtime

component.

Note:

Information

on

installing

the

Tivoli

Access

Manager

Java

runtime

component

can

be

found

in

the

IBM

Tivoli

Access

Manager

Base

Installation

Guide.

Gathering

problem

determination

information

When

developing

a

Java

application,

you

might

encounter

a

problem

with

Tivoli

Access

Manager.

To

assist

Tivoli

support

personnel

in

diagnosing

your

problem,

gather

problem

determination

information

relating

to

your

error.

Tivoli

Access

Manager

components

can

be

configured

to

log

information

to

one

or

more

trace

files.

You

can

enable

tracing

for

the

policy

server,

the

authorization

server,

the

Java

runtime

component,

or

any

system

using

the

Tivoli

Access

Manager

runtime

environment.

//

Give

applications

in

/sb/pdsb/export/classes

and

//

its

subdirectories

access

to

the

Access

Manager

//

Administration

APIs

grant

codeBase

"file:/sb/pdsb/export/classes/-"

{

permission

javax.security.auth.AuthPermission

"PDAdmin";

};

Figure

1.

Granting

Java

permission

to

applications

Chapter

1.

Introducing

the

administration

API

5

Enabling

tracing

on

the

policy

server

To

enable

tracing

on

the

policy

server,

edit

the

/etc/pdmgrd_routing

file,

located

in

the

installation

directory

for

the

Tivoli

Access

Manager

policy

server,

and

uncomment

the

last

line.

Shut

down

and

restart

the

policy

server

daemon,

pdmgrd.

Enabling

tracing

on

the

authorization

server

To

enable

tracing

on

the

authorization

server,

edit

the

/etc/pdacld_routing

file,

located

in

the

installation

directory

for

the

Tivoli

Access

Manager

authorization

server,

and

uncomment

the

last

line.

Shut

down

and

restart

the

authorization

server

daemon,

pdacld.

Enabling

tracing

in

the

Java

runtime

component

Tracing

for

the

Tivoli

Access

Manager

Java

runtime

component

is

controlled

by

settings

in

the

properties

file

created

by

the

com.tivoli.pd.jcfg.SvrSslCfg

command.

To

enable

tracing,

edit

the

properties

file

created

and

update

the

line

associated

with

the

desired

application-server-name

to

set

isLogging

to

true:

baseGroup.PDJ<application-server-name>TraceLogger.isLogging=true

Each

Java

application

can

be

configured

to

use

a

different

properties

file,

and

the

properties

file

can

have

any

name

and

be

located

in

any

directory.

The

PDJLog.properties

file,

located

in

the

PolicyDirector

subdirectory

of

the

associated

JRE,

is

installed

by

the

Tivoli

Access

Manager

Java

runtime

environment

component.

This

properties

file

is

associated

with,

and

can

be

used

to

enable

tracing

in,

the

pdjrtecfg

command

as

well

as

the

com.tivoli.pd.jcfg.SvrSslCfg

command.

Gathering

message

logs

Message

logs

associated

with

applications

that

are

configured

using

the

com.tivoli.pd.jcfg.SvrSslCfg

command

are,

by

default,

written

to

a

set

of

3

files:

msg__application_name1.log,

msg__application_name2.log,

and

msg__application_name3.log,

where

application_name

is

the

name

specified

with

the

appSvr

parameter

of

SvrSslCfg.

Each

file

is

512

KB

in

size,

and

the

msg__application_name1.log

file

always

contains

the

latest

messages.

The

number

and

size

of

these

files,

as

well

as

the

base

name

of

the

files

themselves,

can

be

configured

using

the

options

in

the

configuration

file.

Note:

There

are

two

underscore

characters

(_)

following

the

characters

msg

in

the

default

file

names.

The

PDJLog.properties

file

controls

the

message

logging

for

Java

programs

not

configured

with

the

com.tivoli.pd.jcfg.SvrSslCfg

command.

This

properties

file

specifies

different

file

names

for

each

class

of

Tivoli

Access

Manager

message:

FATAL,

ERROR,

WARNING,

NOTICE,

or

NOTICEVERBOSE.

Each

class

of

message

is

written

to

a

set

of

3

files,

with

names

of

the

following

form:

msg__amj_fatalN.log

msg__amj_errorN.log

msg__amj_warningN.log

msg__amj_noticeN.log

msg__amj_noticeverboseN.log

6

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

For

more

information

on

message

logging,

see

the

IBM

Tivoli

Access

Manager

for

e-business

Problem

Determination

Guide.

Gathering

trace

logs

Trace

logs

associated

with

applications

that

are

configured

using

the

com.tivoli.pd.jcfg.SvrSslCfg

command

are,

by

default,

written

to

a

set

of

3

files:

trace__application_name1.log,

trace__application_name2.log,

and

trace__application_name3.log,

where

application_name

is

the

name

specified

with

the

appSvr

parameter

of

SvrSslCfg.

Each

file

is

512

KB

in

size,

and

the

trace__application_name1.log

file

always

contains

the

latest

trace

entries.

The

number

and

size

of

these

files,

as

well

as

the

base

name

of

the

files

themselves,

can

be

configured

using

the

options

in

the

configuration

file.

Note:

There

are

two

underscore

characters

(_)

following

the

characters

trace

in

the

default

file

names.

The

PDJLog.properties

file

controls

the

trace

logging

for

Java

programs

not

configured

with

the

com.tivoli.pd.jcfg.SvrSslCfg

command.

By

default,

this

trace

output

is

directed

to

a

set

of

3

files

called

trace__amj1.log,

trace__amj2.log,

and

trace__amj3.log.

The

number

and

size

of

these

files,

as

well

as

the

base

name

of

the

files

themselves,

can

be

configured

using

the

options

in

the

PDJLog.properties

file.

For

more

information,

see

the

IBM

Tivoli

Access

Manager

for

e-business

Problem

Determination

Guide.

Chapter

1.

Introducing

the

administration

API

7

8

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Chapter

2.

Using

the

administration

API

Each

Java

application

that

uses

the

administration

API

must

perform

certain

tasks

necessary

for

API

initialization,

shut

down,

and

error

handling.

The

administration

API

provides

methods

for

each

of

these

tasks.

The

following

sections

in

this

chapter

describe

the

supported

functions:

v

“Administration

objects”

v

“Initializing

the

administration

API”

on

page

12

v

“Establishing

a

security

context”

on

page

12

v

“Manipulating

administration

objects”

on

page

14

v

“Messages”

on

page

17

v

“Handling

errors”

on

page

18

v

“Shutting

down

the

administration

API”

on

page

18

v

“Character-based

data

considerations”

on

page

18

Note:

If

you

are

familiar

with

the

administration

C

API

described

in

the

IBM

Tivoli

Access

Manager

for

e-business

Administration

C

API

Developer

Reference,

see

Appendix

A,

“Differences

between

the

C

and

Java

administration

API,”

on

page

53.

Administration

objects

Each

IBM

Tivoli

Access

Manager

(Tivoli

Access

Manager)

administration

object

that

can

be

manipulated

directly

from

a

Java

application

is

represented

by

a

corresponding

Java

class.

The

objects

supported

in

this

version

of

Tivoli

Access

Manager

are

as

follows:

PDAdmin

This

class

is

used

to

initialize

and

shut

down

the

operations

associated

with

using

the

Tivoli

Access

Manager

administration

classes

and

methods.

The

methods

in

this

class

are

applicable

to

all

administration

objects.

PDAuthzRule

This

class

represents

a

Tivoli

Access

Manager

authorization

rule.

PDContext

This

class

encapsulates

the

information

needed

to

establish

a

communication

session

between

the

Java

application

and

the

Tivoli

Access

Manager

policy

server.

Both

user

ID

and

password-based

and

certificate-based

authentication

are

supported

by

this

class.

Multiple

PDContext

objects

can

be

created

and

used

within

the

same

Java

virtual

machine

(JVM).

PDDomain

This

class

represents

a

Tivoli

Access

Manager

policy

server

domain.

PDUser

This

class

represents

a

user

in

the

Tivoli

Access

Manager

policy

server.

PDGroup

This

class

represents

a

group

in

the

Tivoli

Access

Manager

policy

server.

©

Copyright

IBM

Corp.

2002,

2003

9

PDPolicy

This

class

represents

the

policy

information

that

is

associated

with

a

particular

Tivoli

Access

Manager

user

or,

in

the

case

of

the

global

policy,

that

is

associated

with

all

users.

The

PDPolicy

class

is

used

to

set

and

retrieve

account

policy

information

from

the

user

registry

on

a

global

or

per-user

basis.

PDAcl

This

class

represents

an

access

control

list

(ACL),

which

in

turn

consists

of

a

list

of

ACL

entries.

PDAclEntry

This

class

represents

an

entry

in

an

ACL.

PDAclEntryUser

This

class

represents

a

user

ACL

entry

and

controls

access

for

a

particular

user.

PDAclEntryGroup

This

class

represents

a

group

ACL

entry

and

controls

access

for

all

members

in

a

group.

PDAclEntryAnyOther

This

class

represents

the

any-other,

or

any-other

authenticated,

entry

in

an

ACL.

This

ACL

entry

is

applied

to

any

user

that

has

been

authenticated

into

the

Tivoli

Access

Manager

secure

domain

but

is

not

included

in

a

separate

user

or

group

ACL

entry.

PDAclEntryUnAuth

This

class

represents

the

unauthenticated

user

ACL

entry.

This

ACL

entry

is

applied

to

any

user

that

has

not

been

authenticated

by

Tivoli

Access

Manager.

PDProtObject

This

class

represents

a

protected

object.

A

protected

object

represents

a

resource

that

is

to

be

protected,

and

it

has

an

ACL

associated

with

it.

Each

protected

object

is

uniquely

identified

by

an

ID.

PDProtObjectSpace

This

class

represents

the

protected

object

space

object.

An

object

space

is

a

logical

grouping

of

protected

objects

representing

a

set

of

related

resources

to

be

protected.

Each

object

space

is

uniquely

identified

by

an

ID.

PDPop

This

class

represents

a

protected

object

policy,

or

POP,

which

can

be

attached

to

a

PDProtObject

object.

PDAdmSvcPobj

This

class

represents

the

value

of

a

Tivoli

Access

Manager

administration

service

protected

object.

PDAction

This

class

represents

a

given

permission.

PDActionGroup

This

class

represents

a

collection

of

PDAction

objects.

PDRgyGroupName

This

class

represents

the

name

of

an

Tivoli

Access

Manager

group

in

the

underlying

user

registry.

PDRgyUserName

This

class

represents

the

name

of

an

Tivoli

Access

Manager

user

in

the

underlying

user

registry.

10

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

PDRgyName

This

class

represents

the

name

of

an

Tivoli

Access

Manager

object

in

the

underlying

user

registry.

This

object

is

either

an

Tivoli

Access

Manager

user

name

or

group

name.

PDAppSvrSpecLocal

This

class

represents

configuration

information

for

a

local

Java

application

server.

PDAppSvrSpecRemote

This

class

represents

configuration

information

for

a

remote

Java

application

server.

PDSvrInfo

This

class

represents

a

Tivoli

Access

Manager

policy

server

or

authorization

server

and

is

used

when

creating

or

changing

the

configuration

for

a

Java

application

server.

PDAppSvrInfo

This

class

represents

a

read-only

view

of

a

Java

application

server’s

configuration

information.

PDServer

This

class

represents

a

Tivoli

Access

Manager

policy

server,

authorization

server,

or

other

application

server.

PDSSOResource

This

class

represents

a

single

signon

(SSO)

resource.

PDSSOResourceGroup

This

class

represents

a

single

signon

(SSO)

resource

group.

PDSSOCred.CredID

This

class

represents

the

credential

identification

information

for

each

member

of

the

list

returned

by

the

PDSSOCred.listSSOCreds

method.

PDSSOCred.CredInfo

This

class

represents

the

credential

information

for

each

member

of

the

list

returned

by

the

PDSSOCred.listAndShowSSOCreds

method.

PDException

This

class

creates

an

exception

to

reflect

that

an

error

or

other

exceptional

condition

has

occurred.

PDMessage

This

class

represents

a

single

Tivoli

Access

Manager

message

and

includes

the

message

code,

severity,

and

the

localized

message

text.

PDMessages

This

class

represents

a

list

of

one

or

more

Tivoli

Access

Manager

messages.

The

methods

associated

with

these

classes

are

thread-safe.

Common

classes

The

following

classes

are

used

for

both

administration

and

authorization

methods.

PDAttrs

This

class

represents

a

list

of

Tivoli

Access

Manager

attributes.

PDAttrValue

This

class

represents

the

value

of

a

Tivoli

Access

Manager

attribute.

Chapter

2.

Using

the

administration

API

11

PDAttrValues

This

class

represents

a

collection

of

values

for

a

particular

attribute

that

is

unordered

and

that

does

not

allow

duplicates.

PDAttrValueList

This

class

represents

a

collection

of

values

for

a

particular

attribute

that

is

ordered

and

allows

duplicates.

Initializing

the

administration

API

Before

using

the

administration

API

in

a

Java

application,

the

PDAdmin

object

must

be

initialized.

This

is

accomplished

by

calling

the

PDAdmin.initialize()

method,

as

shown

in

Figure

2,

passing

the

name

of

the

application

and

a

PDMessages

object.

Messages

are

described

in

more

detail

in

“Messages”

on

page

17.

Establishing

a

security

context

After

initializing

the

administration

API,

you

must

create

an

SSL

connection

between

the

Java

application

and

the

Tivoli

Access

Manager

policy

server.

This

connection

is

referred

to

as

a

security

context

by

the

administration

API.

The

security

context

provides

for

the

secure

transfer

of

administrative

requests

and

data

between

the

Java

application

and

the

policy

server.

A

security

context

can

be

established

using

either

user

ID

and

password-based

authentication

or

certificate-based

authentication.

In

either

case,

the

security

context

is

represented

by

the

PDContext

object.

Multiple

PDContext

objects

can

be

created

and

used

within

the

same

JVM.

Information

on

Java

authentication

classes

and

methods

can

be

found

in

IBM

Tivoli

Access

Manager

for

e-business

Authorization

Java

Classes

Developer

Reference.

User

ID

and

password-based

authentication

To

establish

a

security

context

using

user

ID

and

password-based

authentication,

you

need

the

following

information:

admin

user

ID

An

Tivoli

Access

Manager

user

ID

with

the

appropriate

administrative

authority,

such

as

sec_master.

admin

password

The

password

associated

with

the

administrator

user

ID.

locale

The

locale

that

is

to

be

used

for

returning

message

data

to

the

application.

When

this

value

is

not

supplied

as

an

input

parameter,

the

PDContext

constructor

uses

the

default

locale.

domain

The

Tivoli

Access

Manager

policy

server

domain

to

which

the

user

will

be

authenticated.

When

this

value

is

not

supplied,

the

domain

is

obtained

PDMessages

messages

=

new

PDMessages();

PDAdmin.initialize("myApplicationName",

messages);

Figure

2.

Initializing

the

administration

API

12

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

from

the

configuration

file

URL.

When

the

configuration

file

URL

does

not

contain

domain

information,

the

local

domain

associated

with

the

Java

Runtime

Environment

is

used.

configuration

file

URL

The

uniform

resource

locator

(URL)

to

the

configuration

file

created

by

the

Java

SvrSslCfg

class.

The

URL

must

use

the

file:///

format.

Note:

Do

not

use

the

svrsslcfg

command

line

interface

to

create

a

configuration

file

that

is

to

be

used

by

a

Java

application.

To

create

the

security

context,

create

a

PDContext

object

as

shown

in

Figure

3.

The

contents

of

the

configuration

file

created

by

the

Java

SvrSslCfg

class

is

not

externalized

and

is

subject

to

change

without

notice

in

future

releases

of

Tivoli

Access

Manager.

Users

should

not

use

the

information

in

the

configuration

file

directly.

Certificate-based

authentication

To

establish

a

security

context

using

certificate-based

authentication,

you

need

the

following

information:

locale

The

locale

that

is

to

be

used

for

returning

message

data

to

the

application.

configuration

file

URL

The

URL

to

the

configuration

file

created

by

the

Java

SvrSslCfg

class.

The

URL

must

use

the

file:///

format.

Note:

Do

not

use

the

svrsslcfg

command

line

interface

to

create

a

configuration

file

that

is

to

be

used

by

a

Java

application.

To

create

the

security

context,

create

a

PDContext

object

as

shown

in

Figure

4

on

page

14.

//

Create

locale

for

US

English

Locale

myLocale

=

new

Locale("ENGLISH",

"US");

/*

Create

a

security

context

using

our

locale.

Need

to

supply

a

user

ID

with

administrative

privileges

in

Access

Manager

(like

sec_master)

along

with

its

password

and

a

URL

of

the

form

file:///

to

the

configuration

file

created

by

the

SvrSslCfg

class.

*/

PDContext

myContext

=

new

PDContext(myLocale,

adminName,

adminPassword,

domain,

configFileURL);

Figure

3.

Creating

a

security

context

using

user

ID

and

password-based

authentication

Chapter

2.

Using

the

administration

API

13

The

contents

of

the

configuration

file

created

by

the

Java

SvrSslCfg

class

is

not

externalized

and

is

subject

to

change

without

notice

in

future

releases

of

Tivoli

Access

Manager.

Users

should

not

use

the

information

in

the

configuration

file

directly.

Manipulating

administration

objects

Each

Java

class

representing

an

administration

object

provides

static

methods

to

create,

list,

modify,

and

delete

objects

stored

on

the

Tivoli

Access

Manager

policy

server.

Changes

to

administration

objects

on

the

policy

server

are

immediately

available

to

other

applications.

The

constructor

of

each

class

can

be

used

to

obtain

a

local

copy

of

a

specific

administration

object.

The

instance

methods

of

the

class

can

then

be

used

to

retrieve

data

from

the

local

object

and

to

modify

both

the

local

copy

of

the

object

and

the

object

stored

on

the

policy

server.

Use

of

the

static

methods

is

recommended

for

command

line

and

batch-oriented

applications

using

the

administration

API.

For

interactive

applications,

the

instance

methods

are

recommended.

Creating

objects

You

can

use

the

administration

API

to

create

Tivoli

Access

Manager

objects

necessary

to

complete

administrative

tasks.

Before

you

create

an

object,

you

need

to

initialize

the

administration

API

and

establish

a

security

context.

To

create

an

object,

use

the

static

creation

method

associated

with

the

administration

object.

For

example,

to

create

an

Tivoli

Access

Manager

user,

you

would

use

the

PDUser.createUser()

static

method.

This

is

illustrated

in

Figure

5

on

page

15.

This

method

results

in

the

Tivoli

Access

Manager

user

being

created

immediately

on

the

policy

server.

//

Create

locale

for

US

English

Locale

myLocale

=

new

Locale("ENGLISH",

"US");

/*

Create

a

security

context

using

certificate-based

authentication.

The

URL

to

the

configuration

file

must

use

the

file:///

format.

The

configuration

file

is

created

by

the

SvrSslCfg

class.

*/

PDContext

myContext

=

new

PDContext(myLocale,

configFileURL);

Figure

4.

Creating

a

security

context

using

certificate-based

authentication

14

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Obtaining

a

local

copy

of

an

object

To

obtain

a

local

copy

of

an

administration

object,

use

the

constructor

for

the

Java

class

representing

the

administration

object.

For

example,

to

get

a

copy

of

the

PDUser

object

representing

a

particular

Tivoli

Access

Manager

user,

you

would

use

the

PDUser

constructor.

This

is

shown

in

Figure

6.

/*------------------------------------------------------------------

*

Create

a

user,

using

the

PDUser.createUser()

static

method,

and

*

assign

the

user

to

a

specific

group.

This

method

sends

a

*

request

to

the

policy

server

to

create

the

user.

*------------------------------------------------------------------

*/

//

Set

up

all

of

the

user’s

attributes

String

name

=

"Stephanie

Luser";

String

firstName

=

"Stephanie";

String

lastName

=

"Luser";

String

password

=

"herpassword";

String

description

=

"Descriptive

text

for

Stephanie

Luser";

String

rgyName

=

"cn="

+

name

+

","

+

rgySuffix;

PDRgyUserName

pdRgyUserName

=

new

PDRgyUserName(rgyName,

firstName,

lastName);

boolean

ssoUser

=

false;

boolean

pwdPolicy

=

true;

ArrayList

groupList

=

new

ArrayList();

groupList.add(groupAdministrativeAssistants);

messages.clear();

PDUser.createUser(mySecurityContext,

name,

pdRgyUserName,

description,

password.toCharArray(),

groupList,

ssoUser,

pwdPolicy,

messages);

Figure

5.

Creating

a

user

/*------------------------------------------------------------------

*

Obtain

a

user

using

the

PDUser

constructor.

*------------------------------------------------------------------

*/

//

Set

up

all

of

the

user’s

attributes

String

name

=

"Zachary

Wommbat";

String

firstName

=

"Zachary";

String

lastName

=

"Wommbat";

String

rgyName

=

"cn="

+

name

+

","

+

rgySuffix;

PDRgyUserName

pdRgyUserName

=

new

PDRgyUserName(rgyName,

firstName,

lastName);

messages.clear()

PDUser

user

=

new

PDUser(mySecurityContext,

pdRgyUserName,

messages);

Figure

6.

Getting

a

local

copy

of

a

PDUser

object

Chapter

2.

Using

the

administration

API

15

After

a

local

copy

of

the

administration

object

is

obtained,

you

can

use

the

instance

methods

on

the

object

to

retrieve

or

set

data

associated

with

the

object.

Note:

After

a

local

copy

of

an

administration

object

is

obtained,

the

object

could

be

changed

on

the

policy

server

by

other

users

using

the

command

line

interface,

the

administration

C

API,

or

the

Java

classes

and

methods.

A

few

instance

methods

are

able

to

detect

inconsistencies

between

data

in

the

local

object

and

data

in

the

policy

server,

but

most

cannot.

It

is

the

responsibility

of

the

user

to

ensure

that

changes

made

to

administration

objects

are

done

in

a

consistent

and

predictable

way

when

using

the

instance

methods.

Reading

object

values

Administration

object

data

can

be

obtained

by

using

the

instance

methods

associated

with

the

administration

object.

To

use

the

instance

methods,

you

must

first

obtain

a

local

copy

of

the

object,

as

outlined

in

“Obtaining

a

local

copy

of

an

object”

on

page

15.

After

obtaining

the

object,

you

can

retrieve

information

about

the

object

by

using

the

instance

methods.

For

example,

to

get

the

description

associated

with

an

Tivoli

Access

Manager

user

from

a

local

copy

of

the

PDUser

object:

userDescription

=

user.getDescription();

Setting

object

values

Administration

object

data

can

be

changed

by

using

the

instance

methods

associated

with

the

administration

object

or

by

using

the

static

methods

associated

with

the

Java

class

representing

the

administration

object.

To

use

the

instance

methods,

you

must

first

obtain

a

local

copy

of

the

object,

as

outlined

in

“Obtaining

a

local

copy

of

an

object”

on

page

15.

After

obtaining

the

object,

you

can

change

information

about

the

object

by

using

the

instance

methods.

For

example,

to

disable

the

account

associated

with

an

Tivoli

Access

Manager

user

from

a

local

copy

of

the

PDUser

object,

use

the

following:

user.setAccountValid(mySecurityContext,

false,

//

Disable

the

account

messages);

The

instance

method

changes

both

the

local

copy

of

the

administration

object

as

well

as

the

object

stored

on

the

policy

server.

To

update

the

PDUser

object

on

the

policy

server,

use

the

static

method:

PDUser.setAccountValid(mySecurityContext,

name,

false,

//

Disable

the

account

messages);

Listing

objects

Some

administrative

tasks

require

the

Java

application

to

obtain

a

list

of

objects.

For

example,

an

administrator

might

need

to

review

the

list

of

existing

users

in

order

to

decide

if

a

new

user

must

be

created.

Table

2

on

page

17

lists

the

appropriate

method

to

use

to

list

objects

based

on

the

Java

class

that

represents

an

administration

object.

16

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Table

2.

Methods

used

to

list

objects

Object

Method

to

list

objects

PDAcl

PDAcl.listAcls

PDGroup

PDGroup.listGroups

PDProtObject

PDProtObject.listProtObjects

PDProtObject.listProtObjectsByAcl

PDProtObjectSpace

PDProtObjectSpace.listProtObjectSpaces

PDUser

PDUser.listUsers

PDDomain

PDDomain.listDomains

PDAuthzRule

PDAuthzRule.listAuthzRules

Deleting

objects

To

delete

an

object,

use

the

static

deletion

method

associated

with

the

administration

object.

For

example,

to

delete

an

Tivoli

Access

Manager

user,

you

would

use

the

PDUser.deleteUser()

static

method.

This

is

illustrated

in

Figure

7.

This

method

results

in

the

Tivoli

Access

Manager

user

being

deleted

immediately

from

the

policy

server.

Messages

All

constructors,

static

methods,

and

instance

methods

have

an

output

parameter

consisting

of

a

PDMessages

object.

In

addition,

exceptions

generated

by

Tivoli

Access

Manager

contain

a

PDMessages

object.

A

PDMessages

object

contains

zero

or

more

PDMessage

objects.

Each

PDMessage

object

represents

a

single

message

and

consists

of

the

following:

Message

code

A

hexadecimal

number

that

uniquely

identifies

the

message.

Message

text

The

localized

text

of

the

message.

Severity

An

indication

of

the

severity

of

the

message:

v

Informational

v

Warning

v

Error

/*------------------------------------------------------------------

*

Delete

a

user

*------------------------------------------------------------------

*/

//

Set

up

all

of

the

user’s

attributes

String

name

=

"Leah

Allen";

messages.clear();

PDUser.deleteUser(mySecurityContext,

name,

true,

messages);

Figure

7.

Deleting

a

user

Chapter

2.

Using

the

administration

API

17

The

message

text

is

localized

based

on

the

PDContext

object

that

is

used

when

the

method

is

invoked

except

in

the

case

of

a

read-only

instance

method

on

a

local

administration

object.

When

using

a

read-only

instance

method,

the

message

text

is

localized

based

on

the

PDContext

object

used

when

the

local

administration

object

was

created.

When

a

method

completes

successfully,

check

the

PDMessages

object

for

any

informational

or

warning

messages

associated

with

the

action

performed.

If

an

error

is

encountered

during

processing,

a

PDException

exception

is

thrown,

which

might

have

messages

associated

with

it.

The

same

PDMessages

object

can

be

used

on

multiple

method

invocations.

Use

the

clear()

method

to

clear

the

contents

of

the

PDMessages

object

between

method

invocations.

The

IBM

Tivoli

Access

Manager

Error

Message

Reference

contains

a

list

of

the

messages

issued

by

Tivoli

Access

Manager

along

with

an

explanation

of

the

message

and

the

suggested

corrective

action.

Messages

are

indexed

by

hexadecimal

and

decimal

message

number,

as

well

as

by

message

identifier.

Handling

errors

All

constructors,

instance

methods,

and

static

methods

throw

a

PDException

exception

when

an

error

or

unexpected

event

occurs.

This

exception

contains

a

PDMessages

object

that

might

contain

one

or

more

PDMessage

objects.

See

“Messages”

on

page

17

for

more

information

about

messages

and

message

handling.

A

PDException

object

also

might

contain

a

wrapped

exception

that

was

thrown

by

another

Java

component.

Information

about

this

wrapped

exception

can

be

obtained

by

using

the

methods

of

the

PDException

object.

The

IBM

Tivoli

Access

Manager

Error

Message

Reference

contains

a

list

of

the

messages

issued

by

Tivoli

Access

Manager

along

with

an

explanation

of

the

message

and

the

suggested

corrective

action.

Shutting

down

the

administration

API

After

using

the

administration

API,

the

PDAdmin

object

must

be

shut

down.

This

is

accomplished

by

calling

the

PDAdmin.shutdown()

method

as

shown

in

Figure

8.

Character-based

data

considerations

Character-based

data,

such

as

user

IDs

and

passwords,

is

stored

and

manipulated

by

the

Java

classes

and

methods

as

strings

of

Unicode

characters.

This

character

data

is

converted

from

Unicode

into

UTF-8

(Universal

Character

Set

Transformation

Format-8)

before

being

sent

to

the

Tivoli

Access

Manager

policy

server

and

stored

in

the

user

registry.

Similarly,

data

from

the

user

registry

and

the

policy

server

is

received

in

UTF-8

and

converted

into

Unicode.

Unicode

and

UTF-8

both

allow

any

character

in

any

locale

to

be

uniquely

represented.

PDAdmin.shutdown(messages);

Figure

8.

Shutting

down

the

administration

API

18

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Chapter

3.

Administering

users

and

groups

The

administration

API

provides

a

collection

of

classes

and

methods

for

administering

IBM

Tivoli

Access

Manager

(Tivoli

Access

Manager)

users

and

groups.

This

chapter

describes

the

tasks

that

those

classes

and

methods

accomplish.

Information

about

Tivoli

Access

Manager

users

and

groups

is

stored

in

the

user

registry.

You

can

use

the

administration

API

to

both

modify

and

access

user

and

group

settings

in

the

user

registry.

In

addition,

the

administration

API

provides

classes

and

methods

to

administer

password

and

account

policy

settings

both

on

a

per

user

and

global

basis.

Tivoli

Access

Manager

provides

the

pdadmin

command

line

interface

(CLI)

that

accomplishes

many

of

the

same

user,

group,

and

policy

administration

tasks.

Application

developers

who

have

previously

used

the

pdadmin

command

to

manage

an

Tivoli

Access

Manager

secure

domain

will

find

the

administration

API

functions

straightforward

to

implement.

This

chapter

contains

the

following

topics:

v

“Administering

users”

v

“Administering

user

information”

on

page

20

v

“Administering

user

account

policies”

on

page

21

v

“Administering

user

password

policies”

on

page

22

v

“Administering

groups”

on

page

23

v

“Administering

group

information”

on

page

24

Administering

users

The

administration

API

provides

classes

and

methods

for

creating,

accessing,

listing,

and

deleting

Tivoli

Access

Manager

user

information

within

the

user

registry.

The

name

of

a

user

is

not

case

sensitive.

Therefore

user,

USER,

User,

and

UsEr

all

refer

to

the

same

Tivoli

Access

Manager

user.

The

PDUser.createUser

method

creates

a

user

in

the

user

registry

used

by

the

Tivoli

Access

Manager

policy

server.

Note:

When

a

user

definition

already

exists

in

the

user

registry,

use

the

PDUser.importUser

method

instead.

The

PDUser.importUser

method

imports

an

existing

user

definition

from

the

user

registry

into

Tivoli

Access

Manager

and

allows

the

user

definition

to

be

managed

by

Tivoli

Access

Manager.

Use

the

PDUser.deleteUser

method

to

delete

a

user

from

Tivoli

Access

Manager.

Table

3

on

page

20

lists

the

user

administration

functions.

©

Copyright

IBM

Corp.

2002,

2003

19

User

registry

difference:

Leading

and

trailing

blanks

in

a

user

name

do

not

make

the

name

unique

when

using

an

LDAP

or

Active

Directory

user

registry.

However,

leading

and

trailing

blanks

do

make

the

user

name

unique

when

using

a

Domino

server

as

a

user

registry.

To

keep

name

processing

consistent

regardless

of

what

user

registry

is

being

used,

do

not

define

user

names

with

leading

or

trailing

blanks.

Table

3.

Administrating

users

Function

Description

PDUser.createUser

Creates

the

specified

user.

PDUser.importUser

Creates

an

Tivoli

Access

Manager

user

by

importing

an

existing

user

from

the

user

registry.

PDUser.deleteUser

Deletes

the

specified

user.

PDUser.listUsers

Lists

Tivoli

Access

Manager

users.

Administering

user

information

The

administration

API

allows

you

to

administer

the

information

associated

with

an

Tivoli

Access

Manager

user.

When

a

user

account

has

been

created

in

the

user

registry,

you

can

set

and

get

different

pieces

of

information

about

the

user.

You

must

create

a

security

context

between

the

calling

application

and

the

Tivoli

Access

Manager

policy

server

before

you

can

access

the

user

registry.

You

can

obtain

the

user

registry

information

for

a

user

object

by

specifying

either

the

Tivoli

Access

Manager

user

name

or

the

user

registry

name.

Table

4

lists

the

methods

available

for

administering

user

information.

Table

4.

Administrating

user

information

Function

Description

PDUser

constructor

Instantiates

a

user

object

for

the

specified

Tivoli

Access

Manager

or

user

registry

name.

PDUser

object.getDescription

Returns

the

user

description.

PDUser

object.getRgyName

Returns

the

user

registry

name

for

the

user.

PDUser

object.getId

Returns

the

name

of

the

object.

PDUser

object.getFirstName

Returns

the

first-name

attribute

for

the

user.

PDUser

object.getLastName

Returns

the

last-name

attribute

for

the

user.

PDUser

object.getPolicy

Returns

the

password

and

account

policy

settings

associated

with

the

user.

PDUser

object.getGroups

Lists

the

groups

in

which

the

user

is

a

member.

PDUser

object.isAccountValid

Returns

the

account-valid

indicator

for

the

user.

PDUser

object.isPDUser

Returns

a

setting

that

indicates

if

this

is

an

Tivoli

Access

Manager

user.

20

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Table

4.

Administrating

user

information

(continued)

Function

Description

PDUser

object.isSSOUser

Returns

a

setting

that

indicates

if

the

user

has

single

signon

capabilities.

PDUser.setDescription

PDUser

object.set

Description

Sets

a

user

description.

PDUser.setAccountValid

PDUser

object.setAccountValid

Enables

or

disables

a

user

account.

PDUser.setSSOUser

PDUser

object.setSSOUser

Enables

or

disables

the

single

signon

capabilities

of

a

user.

PDUser

object.isPasswordValid

Returns

the

enabled

indicator

for

the

user’s

password.

PDUser.setPassword

PDUser

object.setPassword

Sets

a

user’s

password.

PDUser.setPasswordValid

PDUser

object.setPasswordValid

Enables

or

disables

a

user’s

password.

Administering

user

account

policies

You

can

manage

user

access

by

setting

account

policies.

You

can

specify

policies

that

apply

only

to

a

single

user

or

specify

policies

that

apply

for

all

users.

When

a

user’s

account

policy

attribute

is

set

to

a

value

and

enforced,

that

value

always

takes

precedence

over

a

value

set

for

the

general

policy,

regardless

of

which

value

is

more

restrictive.

If

an

account

policy

attribute

for

a

user

is

not

enforced,

then

the

value

set

for

the

general

policy,

if

that

value

is

set

and

enforced,

is

in

effect

for

the

user.

Table

5

describes

the

administration

API

methods

that

you

can

use

to

modify

or

access

account

policies.

Table

5.

Administrating

user

account

policies

Function

Description

PDUser.getUserRgy

Determines

which

type

of

user

registry

is

configured

for

the

Tivoli

Access

Manager

policy

server.

PDPolicy

constructor

Instantiates

a

policy

object

for

a

user,

or

for

all

users

in

the

case

of

the

global

policy.

PDPolicy

object.acctDisableTimeEnforced

Returns

an

indicator

whether

the

account

disable

time

interval

policy

is

enforced.

PDPolicy

object.acctDisableTimeUnlimited

Returns

an

indicator

whether

the

account

disable

time

interval

policy

is

unlimited.

PDPolicy

object.acctExpDateEnforced

Returns

an

indicator

whether

the

account

expiration

date

policy

is

enforced.

PDPolicy

object.acctExpDateUnlimited

Returns

an

indicator

whether

the

account

expiration

date

policy

is

unlimited.

PDPolicy

object.getAcctExpDate

Gets

the

account

expiration

date

for

user

accounts.

PDPolicy

object.getAcctDisableTimeInterval

Gets

the

amount

of

time

to

disable

a

user

account

when

the

maximum

number

of

login

failures

is

exceeded.

Chapter

3.

Administering

users

and

groups

21

Table

5.

Administrating

user

account

policies

(continued)

Function

Description

PDPolicy

object.getMaxFailedLogins

Gets

the

maximum

number

of

failed

logins

allowed

for

user

accounts.

PDPolicy

object.getAccessibleDays

PDPolicy

object.getAccessStartTime

PDPolicy

object.getAccessEndTime

PDPolicy

object.getAccessTimezone

Gets

the

time

of

day

access

policy

for

user

accounts.

PDPolicy

object.maxFailedLoginsEnforced

Returns

an

indicator

whether

the

maximum

failed

login

policy

is

enforced.

PDPolicy.setAcctExpDate

PDPolicy

object.setAcctExpDate

Sets

the

account

expiration

date

for

user

accounts.

PDPolicy.setAcctDisableTime

PDPolicy

object.setAcctDisableTime

Sets

the

amount

of

time

to

disable

a

user

account

when

the

maximum

number

of

login

failures

is

exceeded.

PDPolicy.setMaxFailedLogins

PDPolicy

object.setMaxFailedLogins

Sets

the

maximum

number

of

failed

logins

allowed

for

user

accounts.

PDPolicy.setTodAccess

PDPolicy

object.setTodAccess

Sets

the

time

of

day

access

for

the

account

for

user

accounts.

PDPolicy

object.todAccessEnforced

Returns

an

indicator

whether

the

time-of-day

access

policy

is

enforced.

Administering

user

password

policies

You

can

manage

user

access

by

setting

password

attributes.

You

can

specify

policies

that

apply

only

to

a

single

user

or

specify

policies

that

apply

for

all

users.

When

a

user’s

password

policy

attribute

is

set

to

a

value

and

enforced,

that

value

always

takes

precedence

over

a

value

set

for

the

general

policy,

regardless

of

which

value

is

more

restrictive.

If

a

password

policy

attribute

for

a

user

is

not

enforced,

then

the

value

set

for

the

general

policy,

if

that

value

is

set

and

enforced,

is

in

effect

for

the

user.

Table

6

describes

the

administration

API

methods

that

you

can

use

to

modify

or

access

password

policies.

Table

6.

Administrating

user

password

policies

Function

Description

PDPolicy

constructor

Instantiates

a

policy

object

for

a

user,

or

for

all

users

in

the

case

of

the

global

policy.

PDPolicy

object.getMaxPwdAge

Gets

the

password

expiration

date.

PDPolicy

object.getMaxPwdRepChars

Gets

the

maximum

number

of

repeated

characters

allowed

in

the

password.

PDPolicy

object.getMinPwdAlphas

Gets

the

minimum

number

of

alphabetic

characters

allowed

in

the

password.

PDPolicy

object.getMinPwdLen

Gets

the

minimum

password

length.

PDPolicy

object.getMinPwdNonAlphas

Gets

the

minimum

number

of

nonalphabetic

characters

allowed

in

a

password.

22

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Table

6.

Administrating

user

password

policies

(continued)

Function

Description

PDPolicy

object.maxPwdAgeEnforced

Returns

an

indicator

whether

the

maximum

password

age

policy

is

enforced.

PDPolicy

object.maxPwdRepCharsEnforced

Returns

an

indicator

whether

the

password

maximum

repeated

characters

policy

is

enforced.

PDPolicy

object.minPwdAlphasEnforced

Returns

an

indicator

whether

the

password

minimum

alphabetic

characters

required

policy

is

enforced.

PDPolicy

object.minPwdLenEnforced

Returns

an

indicator

whether

the

minimum

password

length

policy

is

enforced.

PDPolicy

object.minPwdNonAlphasEnforced

Returns

an

indicator

whether

the

password

minimum

non-alphabetic

characters

policy

is

enforced.

PDPolicy

object.pwdSpacesAllowed

Returns

an

indicator

whether

spaces

are

allowed

in

a

password.

PDPolicy.setMaxPwdAge

PDPolicy

object.setMaxPwdAge

Sets

the

password

expiration

date.

PDPolicy.setMaxPwdRepChars

PDPolicy

object.setMaxPwdRepChars

Sets

the

maximum

number

of

repeated

characters

allowed

in

a

password.

PDPolicy.setMinPwdAlphas

PDPolicy

object.setMinPwdAlphas

Sets

the

minimum

number

of

alphabetic

characters

allowed

in

a

password.

PDPolicy.setMinPwdLen

PDPolicy

object.setMinPwdLen

Sets

the

minimum

password

length.

PDPolicy.setMinPwdNonAlphas

PDPolicy

object.setMinPwdNonAlphas

Sets

the

minimum

number

of

nonalphabetic

characters

allowed

in

a

password.

PDPolicy.setPwdSpacesAllowed

PDPolicy

object.setPwdSpacesAllowed

Sets

policy

for

whether

spaces

are

allowed

in

a

password.

Administering

groups

The

administration

API

provides

methods

for

creating,

accessing,

listing,

and

deleting

Tivoli

Access

Manager

group

information

from

the

user

registry.

The

name

of

a

group

is

not

case

sensitive.

Therefore

group,

GROUP,

Group,

and

GrOuP

all

refer

to

the

same

Tivoli

Access

Manager

group.

The

PDGroup.createGroup

method

creates

a

group

in

the

user

registry

used

by

the

Tivoli

Access

Manager

policy

server.

Note:

When

a

group

definition

already

exists

in

the

user

registry,

use

the

PDGroup.importGroup

method

instead.

The

PDGroup.importGroup

method

imports

an

existing

group

definition

from

the

user

registry

into

Tivoli

Access

Manager

and

allows

the

group

definition

to

be

managed

by

Tivoli

Access

Manager.

Chapter

3.

Administering

users

and

groups

23

Table

7

lists

the

group

administration

functions.

Table

7.

Administering

groups

Function

Description

PDGroup.createGroup

Creates

the

specified

group.

PDGroup.importGroup

Creates

an

Tivoli

Access

Manager

group

by

importing

an

existing

group

from

the

user

registry.

PDGroup.deleteGroup

Deletes

the

specified

group.

PDGroup.listGroups

Lists

Tivoli

Access

Manager

groups.

Administering

group

information

The

administration

API

enables

you

to

administer

information

associated

with

a

group.

When

a

group

has

been

created

in

the

user

registry,

you

can

set

and

get

different

pieces

of

information

about

the

group.

You

must

create

a

security

context

between

the

calling

application

and

the

Tivoli

Access

Manager

policy

server

before

you

can

access

the

user

registry.

You

can

obtain

the

user

registry

information

for

a

group

object

by

specifying

either

the

Tivoli

Access

Manager

group

name

or

the

user

registry

group

name.

Table

8

lists

the

group

information

administration

functions.

Table

8.

Administering

group

attributes

Function

Description

PDGroup

constructor

Instantiates

a

group

object

for

the

specified

Tivoli

Access

Manager

or

user

registry

name.

PDGroup

object.getDescription

Returns

the

group

description.

PDGroup

object.getRgyName

Returns

the

user

registry

name

for

the

group.

PDGroup

object.getId

Returns

the

Tivoli

Access

Manager

name

for

the

group.

PDGroup

object.isPDGroup

Returns

an

indicator

whether

the

object

is

an

Tivoli

Access

Manager

group.

PDGroup.setDescription

PDGroup

object.setDescription

Sets

a

group

description.

PDGroup

object.getMembers

Lists

the

members

of

a

group.

PDGroup.addMembers

PDGroup

object.addMembers

Adds

users

to

a

group.

PDGroup.removeMembers

PDGroup

object.removeMembers

Removes

users

from

a

group.

24

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Chapter

4.

Administering

protected

objects

and

protected

object

spaces

You

can

use

the

administration

API

to

create,

modify,

examine,

list,

and

delete

IBM

Tivoli

Access

Manager

(Tivoli

Access

Manager)

protected

objects.

These

protected

objects

represent

resources

that

must

be

secured

to

enforce

your

security

policy.

You

can

specify

the

security

policy

by

applying

access

control

lists

(ACLs),

protected

object

policies

(POPs),

and

authorization

rules

to

the

protected

objects.

Tivoli

Access

Manager

protected

objects

exist

within

a

virtual

hierarchy

known

as

a

protected

object

space.

Tivoli

Access

Manager

provides

several

protected

object

spaces

by

default.

You

can

use

the

administration

API

to

define

new

regions

of

the

protected

object

space

and

to

define

and

secure

resources

that

are

specific

to

a

third-party

application.

This

chapter

describes

the

administration

API

functions

that

you

can

use

to

administer

protected

object

spaces

and

protected

objects.

You

must

be

familiar

with

protected

objects

before

using

the

administration

API.

For

an

introduction

to

protected

objects,

see

the

chapter

about

managing

protected

objects

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

For

an

introduction

to

the

use

of

ACLs,

POPs,

and

authorization

rules

to

secure

protected

objects,

see

the

chapters

about

using

access

control

policies,

protected

object

policies,

and

authorization

rules

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

This

chapter

contains

the

following

topics:

v

“Administering

protected

object

spaces”

v

“Administering

protected

objects”

on

page

26

v

“Administering

protected

object

attributes”

on

page

27

Administering

protected

object

spaces

You

can

use

the

administration

API

to

create

and

administer

a

user-defined

protected

object

space.

You

can

use

this

protected

object

space

to

define

a

resource

hierarchy

that

is

specific

to

a

third-party

application

that

uses

Tivoli

Access

Manager

authorization

services

to

enforce

a

security

policy.

User-defined

object

spaces

created

with

the

administration

API

are

dynamic

because

they

can

be

updated

while

Tivoli

Access

Manager

is

running.

Table

9

on

page

26

lists

the

methods

available

for

administering

protected

object

spaces.

Note:

For

an

introduction

to

the

creation

of

protected

object

spaces,

see

the

protected

object

space

information

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

©

Copyright

IBM

Corp.

2002,

2003

25

Table

9.

Administering

protected

object

spaces

Function

Description

PDProtObjectSpace.createProtObjectSpace

Creates

an

Tivoli

Access

Manager

protected

object

space.

PDProtObjectSpace.deleteProtObjectSpace

Deletes

the

specified

Tivoli

Access

Manager

protected

object

space.

PDProtObjectSpace.listProtObjectSpaces

Lists

the

Tivoli

Access

Manager

protected

object

spaces.

Administering

protected

objects

Define

protected

objects

that

reflect

the

resources

that

your

security

policy

protects.

The

name

of

a

protected

object

can

be

of

any

length

and

contain

any

character.

However,

the

forward

slash

(/)

character

is

interpreted

to

be

part

of

the

object

hierarchy,

which

allows

ACLs

to

be

attached

at

the

various

points

indicated

by

the

forward

slash

character.

After

you

create

a

protected

object,

you

can

specify

a

security

policy

for

it

by

defining

and

attaching

ACLs,

POPs,

authorization

rules,

or

any

combination

of

these

entities.

For

more

information

about

these

Tivoli

Access

Manager

security

concepts,

see

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

Use

caution

when

implementing

protected

objects

programmatically.

In

many

cases,

the

protected

object

hierarchy

is

manually

designed,

built,

and

tested

by

a

security

expert.

Carefully

review

the

hierarchy

to

ensure

that

the

security

policy

is

correctly

enforced.

If

you

choose

to

build

protected

object

hierarchies

programmatically,

be

sure

to

test

and

review

the

settings

for

each

object

before

deploying

the

security

environment.

Table

10

lists

the

methods

available

to

administer

protected

objects.

Table

10.

Administering

protected

objects

Function

Description

PDProtObject.attachAcl

PDProtObject

object.attachACL

Attaches

the

specified

access

control

list

to

the

specified

protected

object.

PDProtObject.attachPop

PDProtObject

object.attachPop

Attaches

a

POP

to

the

specified

protected

object.

PDProtObject.attachAuthzRule

PDProtObj

object.attachAuthzRule

Attaches

an

authorization

rule

to

the

specified

protected

object.

PDProtObject.createProtObject

Creates

a

Tivoli

Access

Manager

protected

object.

PDProtObject.deleteProtObject

Deletes

the

specified

Tivoli

Access

Manager

protected

object.

PDProtObject.detachAcl

PDProtObject

object.detachAcl

Detaches

the

access

control

list

from

the

specified

protected

object.

PDProtObject.detachPop

PDProtObject

object.detachPop

Detaches

a

POP

from

the

specified

protected

object.

PDProtObject.detachAuthzRule

PDProtObj

object.detachAuthzRule

Detaches

an

authorization

rule

from

the

specified

protected

object.

26

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Table

10.

Administering

protected

objects

(continued)

Function

Description

PDProtObject

constructor

Instantiates

the

specified

protected

object.

PDProtObject

object.getAclId

Gets

the

name

of

the

ACL

attached

to

the

specified

protected

object.

PDProtObject

object.getEffectiveAclId

Gets

the

name

of

the

ACL

in

effect

for

the

specified

protected

object.

PDProtObject

object.getPopId

Gets

the

name

of

the

POP

attached

to

the

specified

protected

object.

PDProtObject

object.getEffectivePopId

Gets

the

name

of

the

POP

in

effect

for

the

specified

protected

object.

PDProtObj

object.getAuthzRuleId

Gets

the

name

of

the

authorization

rule

object

that

is

attached

to

the

specified

protected

object.

PDProtObj

object.getEffectiveAuthzRuleId

Gets

the

name

of

the

authorization

rule

object

that

is

in

effect

for

the

specified

protected

object.

PDProtObject

object.getDescription

Gets

the

description

of

the

specified

protected

object.

PDProtObject

object.getId

Gets

the

name

of

the

specified

protected

object.

PDProtObject

object.isPolicyAttachable

Indicates

whether

a

protected

object

policy

or

access

control

list

can

be

attached

to

the

specified

protected

object.

PDProtObject

object.exists

Indicates

whether

a

protected

object

exists.

PDProtObject

object.access

Indicates

whether

a

specific

action

to

a

specific

object

is

permitted.

PDProtObject

object.multiAccess

Indicates

whether

the

specified

actions

to

the

specified

objects

are

permitted.

PDProtObject.listProtObjectsByPop

Returns

a

list

of

protected

objects

that

have

the

specified

protected

object

policy

(POP)

attached.

PDProtObject.listProtObjects

Returns

the

protected

objects

contained

under

the

specified

directory.

PDProtObject.listProtObjectsByAcl

Returns

a

list

of

protected

objects

that

have

the

specified

access

control

list

attached.

PDProtObject.setDescription

PDProtObject

object.setDescription

Sets

the

description

field

of

the

specified

protected

object.

PDProtObject.setPolicyAttachable

PDProtObject

object.setPolicyAttachable

Sets

whether

a

protected

object

policy

or

access

control

list

can

be

attached

to

the

specified

protected

object.

PDProtObj.listProtObjectsByAuthzRule

Lists

the

protected

objects

that

have

the

specified

authorization

rule

attached.

Administering

protected

object

attributes

The

attributes

for

a

protected

object

can

be

created,

set,

queried,

and

deleted.

Chapter

4.

Administering

protected

objects

and

protected

object

spaces

27

Table

11

describes

the

methods

for

administering

protected

object

attributes.

Table

11.

Administering

protected

object

attributes

Function

Description

PDProtObject.deleteAttribute

PDProtObject

object.deleteAttribute

Deletes

the

specified

extended

attribute

(name

and

values)

from

the

specified

protected

object.

PDProtObject.deleteAttributeValue

PDProtObject

object.deleteAttributeValue

Deletes

the

specified

value

from

the

specified

extended

attribute

key

in

the

specified

protected

object.

PDProtObject

object.getAttributeValues

Returns

the

values

associated

with

the

specified

extended

attribute

for

the

specified

protected

object.

PDProtObject

object.getAttributeNames

Lists

all

the

extended

attributes

associated

with

the

specified

protected

object.

PDProtObject.setAttributeValue

PDProtObject

object.setAttributeValue

Creates

an

extended

attribute

with

the

specified

name

and

value,

if

it

does

not

already

exist,

and

adds

the

attribute

to

the

specified

protected

object.

If

the

attribute

specified

already

exists,

the

specified

value

is

added

to

the

existing

attribute.

28

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Chapter

5.

Administering

access

control

You

can

use

the

administration

API

to

create,

modify,

examine,

list,

and

delete

IBM

Tivoli

Access

Manager

(Tivoli

Access

Manager)

access

control

lists

(ACLs).

You

can

also

use

the

administration

API

to

attach

ACLs

to

Tivoli

Access

Manager

protected

objects

and

to

detach

ACLs

from

protected

objects.

Each

ACL

might

contain

entries

for

specific

users

and

groups.

You

can

use

the

administration

API

to

set

ACL

entries

for

users

and

groups

that

already

exist

in

the

Tivoli

Access

Manager

secure

domain.

You

also

can

use

the

administration

API

to

set

ACL

entries

for

the

default

user

categories

any-other

and

unauthenticated.

ACL

entries

consist

of

one

or

more

permissions.

These

permissions

specify

actions

that

the

owner

of

the

entry

is

allowed

to

perform.

Tivoli

Access

Manager

provides

a

number

of

default

permissions.

You

can

use

the

administration

API

to

define

additional

extended

actions.

You

also

can

use

the

administration

API

to

group

the

extended

actions

into

action

groups.

Understand

the

construction

and

use

of

ACLs

before

using

the

administration

API

ACL

functions.

The

proper

use

of

ACLs

is

key

to

successfully

implementing

a

security

policy.

For

more

information,

see

the

chapter

about

using

access

control

lists

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

This

chapter

contains

the

following

topics:

v

“Administering

access

control

lists”

v

“Administering

access

control

list

entries”

on

page

30

v

“Administering

access

control

list

extended

attributes”

on

page

32

v

“Administering

extended

actions”

on

page

33

v

“Administering

action

groups”

on

page

32

Administering

access

control

lists

ACLs

enable

you

to

grant

or

restrict

specific

users

and

groups

access

to

protected

resources.

The

administration

API

enables

you

to:

v

Create

and

delete

ACLs

v

Retrieve

or

change

information

associated

with

an

ACL

v

List

the

user,

group,

any-other,

and

unauthenticated

entries

that

are

included

in

the

ACL

v

List

all

defined

ACLs.

The

name

of

an

ACL

can

be

of

any

length.

The

following

characters

are

allowed

in

an

ACL

name:

v

Alphanumeric

characters

defined

in

the

locale

v

The

underscore

(_)

character

v

The

hyphen

(-)

character

You

specify

the

user

entries

that

belong

in

each

ACL.

You

also

specify

the

permissions

or

actions

that

each

user

is

allowed

to

perform.

©

Copyright

IBM

Corp.

2002,

2003

29

You

can

specify

permissions

or

actions

based

on

group

membership,

rather

than

individual

user

identity,

to

expedite

administration

tasks.

The

administration

API

defines

the

PDAcl

object

to

contain

a

retrieved

ACL.

You

can

use

administration

API

classes

and

methods

to

extract

information

from

the

PDAcl

object.

Be

sure

that

you

understand

how

to

define

an

ACL

policy

before

using

the

administration

API

ACL

methods.

For

more

information,

see

the

section

about

ACL

entry

syntax

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

Table

12

describes

the

methods

for

administering

ACLs.

Table

12.

Administering

access

control

lists

Function

Description

PDAcl.createAcl

Creates

a

new

ACL.

PDAcl.deleteAcl

Deletes

the

specified

ACL.

PDAcl

constructor

Instantiates

the

specified

ACL.

PDAcl

object.getDescription

Returns

the

description

of

the

specified

ACL.

PDAcl

object.getId

Returns

the

name

of

the

specified

ACL.

PDAcl.listAcls

Returns

the

names

of

all

the

defined

ACLs.

PDAcl.setDescription

PDAcl

object.setDescription

Sets

or

modifies

the

description

for

the

specified

ACL.

Administering

access

control

list

entries

You

must

create

an

ACL

object

before

you

can

administer

ACL

entries

for

the

object.

The

administration

API

can

be

used

to

specify

entries

for

each

of

the

following

ACL

entry

types:

v

Users

v

Groups

v

User

any-other

(also

known

as

any-authenticated)

v

User

unauthenticated

PDAclEntryUser

An

ACL

entry

that

applies

to

a

particular

user.

PDAclEntryGroup

An

ACL

entry

that

applies

to

all

members

of

a

particular

group.

PDAclEntryAnyOther

The

ACL

entry

that

applies

to

any

other

authenticated

users.

Any

user

that

has

been

authenticated

into

the

Tivoli

Access

Manager

secure

domain,

but

is

not

covered

by

a

separate

user

or

group

entry

in

the

access

control

list,

is

allowed

the

permissions

specified

by

this

ACL

entry.

PDAclEntryUnAuth

The

ACL

entry

that

applies

to

unauthenticated

users.

Any

user

that

has

not

been

authenticated

is

allowed

the

permissions

specified

by

this

ACL

entry.

30

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Be

sure

that

you

understand

ACL

entry

syntax,

ACL

entry

types,

and

ACL

permission

(action)

attributes

before

you

use

the

administration

API

methods

in

this

section.

Tivoli

Access

Manager

supports

18

default

actions.

For

a

list

of

the

default

Tivoli

Access

Manager

actions,

see

the

section

about

default

Tivoli

Access

Manager

permissions

for

actions

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

For

more

information,

see

the

section

about

ACL

entry

syntax

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

Table

13

lists

the

methods

for

administering

ACL

entries.

Table

13.

Administering

access

control

list

entries

Function

Description

PDAcl

object.getPDAclEntryAnyOther

Returns

the

PDAclEntryAnyOther

object

associated

with

the

ACL.

PDAcl

object.getPDAclEntryUnAuth

Returns

the

PDAclEntryUnAuth

object

associated

with

the

ACL.

PDAcl

object.getPDAclEntriesUser

Returns

a

Java

HashMap

of

the

PDAclEntryUser

objects

associated

with

the

ACL.

PDAcl

object.getPDAclEntriesGroup

Returns

a

Java

HashMap

of

the

PDAclEntryGroup

objects

associated

with

the

ACL.

PDAcl.removePDAclEntryAnyOther

PDAcl

object.removePDAclEntryAnyOther

Removes

the

ACL

entry

for

the

any-other

user

from

the

specified

ACL.

PDAcl.removePDAclEntryGroup

PDAcl

object.removePDAclEntryGroup

Removes

the

ACL

entry

for

the

specified

group

from

the

specified

ACL.

PDAcl.removePDAclEntryUnAuth

PDAcl

object.removePDAclEntryUnAuth

Removes

the

ACL

entry

for

the

unauthenticated

user

from

the

specified

ACL.

PDAcl.removePDAclEntryUser

PDAcl

object.removePDAclEntryUser

Removes

the

ACL

entry

for

the

specified

user

from

the

specified

ACL.

PDAcl.setPDAclEntryAnyOther

PDAcl

object.setPDAclEntryAnyOther

Sets

or

modifies

the

ACL

entry

for

the

any-other

user

in

the

ACL.

Call

this

function

to

specify

permissions

for

all

authenticated

users

that

do

not

have

a

separate

user

or

group

entry

in

the

specified

ACL.

PDAcl.setPDAclEntryGroup

PDAcl

object.setPDAclEntryGroup

Sets

or

modifies

the

ACL

entry

for

the

specified

group

in

the

specified

ACL.

PDAcl.setPDAclEntryUnAuth

PDAcl

object.setPDAclEntryUnAuth

Sets

the

ACL

entry

for

the

unauthenticated

user

in

the

specified

ACL.

Call

this

function

to

specify

permissions

for

those

users

that

have

not

been

authenticated.

PDAcl.setPDAclEntryUser

PDAcl

object.setPDAclEntryUser

Sets

the

entry

for

the

specified

user

in

the

specified

ACL.

Use

this

to

specify

the

actions

that

a

user

is

permitted

to

perform.

Chapter

5.

Administering

access

control

31

Administering

access

control

list

extended

attributes

Extended

attributes

for

an

ACL

can

be

obtained,

set,

and

deleted.

Table

14

lists

the

methods

available

for

administering

ACL

extended

attributes.

Table

14.

Administering

access

control

list

extended

attributes

Function

Description

PDAcl.deleteAttribute

PDAcl

object.deleteAttribute

Deletes

the

specified

extended

attribute

key

from

the

specified

ACL.

PDAcl.deleteAttributeValue

PDAcl

object.deleteAttributeValue

Deletes

the

specified

value

from

the

specified

extended

attribute

key

in

the

specified

ACL.

PDAcl

object.getAttributeValues

Gets

the

extended

attribute

values

for

the

specified

extended

attribute

key

from

the

specified

ACL.

PDAcl

object.getAttributeNames

Lists

the

extended

attribute

keys

associated

with

the

specified

ACL.

PDAcl.setAttributeValue

PDAcl

object.setAttributeValue

Creates

an

extended

attribute

with

the

specified

name

and

value,

if

it

does

not

already

exist,

and

adds

the

attribute

to

the

specified

ACL.

If

the

attribute

specified

already

exists,

the

specified

value

is

added

to

the

existing

attribute.

Administering

action

groups

You

can

use

the

administration

API

to

create,

examine,

and

delete

new

action

groups.

Each

action

group

can

contain

up

to

32

actions.

The

default

action

group,

referred

to

as

the

primary

action

group,

contains

the

18

predefined

Tivoli

Access

Manager

actions.

Thus,

you

can

create

up

to

14

new

actions

to

the

primary

group.

When

you

need

to

create

more

than

32

actions,

you

can

use

the

administration

API

to

define

a

new

action

group.

Tivoli

Access

Manager

supports

up

to

32

action

groups.

For

more

information

about

action

groups,

see

the

section

about

creating

extended

ACL

actions

and

action

groups

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

Table

15

lists

the

methods

for

administering

action

groups.

Table

15.

Administering

action

groups

Function

Description

PDActionGroup.createActionGroup

Creates

a

new

action

group

with

the

specified

name.

PDActionGroup.deleteActionGroup

Deletes

the

specified

action

group

and

all

the

actions

that

belong

to

the

specified

group.

PDActionGroup.listActionGroups

Lists

all

the

defined

action

group

names.

32

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Administering

extended

actions

Tivoli

Access

Manager

provides

a

default

set

of

actions

(permissions)

that

belong

to

the

primary

action

group

that

can

be

granted

to

users

or

groups.

You

can

use

the

administration

API

to

define

new,

extended

actions

that

supplement

the

set

of

default

actions.

Each

of

the

extended

actions

can

belong

to

the

primary

action

group

or

to

a

custom

action

group.

Extended

actions

are

typically

defined

to

support

actions

that

are

specific

to

a

third-party

application.

For

more

information

about

extended

actions,

see

the

section

about

creating

extended

ACL

actions

and

action

groups

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

Table

16

lists

the

methods

for

administering

extended

actions.

Table

16.

Administering

extended

actions

Function

Description

PDAction.createAction

Defines

a

new

action

(permission)in

the

specified

action

group.

PDAction.deleteAction

Deletes

an

action

(permission)

from

the

specified

action

group.

PDAction

constructor

Gets

the

specified

PDAction

object.

PDAction

object.getDescription

Returns

the

description

for

the

specified

action.

PDAction

object.getId

Returns

the

name

for

the

specified

action.

PDAction

object.getType

Returns

the

type

for

the

specified

action.

PDAction.listActions

Lists

all

the

defined

actions

(permissions)

for

the

specified

action

group.

Chapter

5.

Administering

access

control

33

34

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Chapter

6.

Administering

protected

object

policies

You

can

use

the

administration

API

to

create,

modify,

examine,

and

delete

IBM

Tivoli

Access

Manager

(Tivoli

Access

Manager)

protected

object

policies

(POPs).

You

can

also

use

the

Administration

API

to

attach

or

detach

POPs

from

protected

objects.

You

can

use

POPs

to

impose

additional

conditions

on

operations

that

are

permitted

by

an

access

control

list

(ACL)

policy.

These

additional

conditions

are

enforced

regardless

of

the

user

or

group

identities

specified

in

the

ACL

entries.

Examples

of

additional

conditions

include

the

following:

v

Specifying

the

quality

of

protection

v

Writing

a

report

record

to

the

auditing

service

v

Requiring

an

authentication

strength

level

v

Restricting

access

to

a

specific

time

period

v

Enabling

or

disabling

warning

mode,

which

allows

an

administrator

to

validate

security

policy

Be

sure

that

you

understand

Tivoli

Access

Manager

POPs

before

using

the

administration

API

to

administer

POPs.

For

more

information,

see

the

chapter

about

using

POPs

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

This

chapter

contains

the

following

topics:

v

“Administering

protected

object

policy

objects”

v

“Administering

protected

object

policy

settings”

on

page

36

v

“Administering

protected

object

policy

extended

attributes”

on

page

37

Administering

protected

object

policy

objects

POP

objects

are

administered

in

a

similar

way

to

ACL

policies.

You

can

create

and

configure

a

POP,

and

then

attach

the

POP

to

objects

in

the

protected

object

space.

Table

17

lists

the

methods

for

administering

protected

object

policy

objects.

Table

17.

Administering

protected

object

policy

objects

Function

Description

PDPop.createPop

Creates

a

POP

object

with

the

default

values.

PDPop.deletePop

Deletes

the

specified

POP.

PDPop

object.getDescription

Gets

the

description

of

the

specified

POP.

PDPop

object.getId

Gets

the

name

of

the

specified

POP.

PDProtObject.listProtObjectsByPop

Finds

and

lists

all

protected

objects

that

have

the

specified

POP

attached.

PDPop

constructor

PDProtObject

object.getPop

Gets

the

specified

POP

object.

PDPop.listPops

Lists

all

POP

objects.

©

Copyright

IBM

Corp.

2002,

2003

35

PDPop.IPAuthInfo

object

An

array

of

PDPop.IPAuthInfo

objects

is

passed

as

input

to

the

PDPop.setIPAuthInfo

and

PDPop.removeIPAuthInfo

methods.

Each

PDPop.IPAuthInfo

object

contains

the

following

information:

IP

address

The

IP

address,

in

″%d.%d.%d.%d″

String

format

associated

with

the

credentials

that

are

being

checked.

A

value

of

″0.0.0.0″

indicates

this

setting

is

for

any

other

network

for

which

this

policy

is

not

set

explicitly.

Netmask

The

netmask,

in

″%d.%d.%d.%d″

String

format,

associated

with

the

credentials

that

are

being

checked.

A

value

of

″0.0.0.0″

indicates

this

setting

applies

to

any

other

network

for

which

this

policy

is

not

set

explicitly.

IP

authentication

level

The

IP

authentication

level

of

the

credentials

for

the

specified

IP

address

and

netmask

when

trying

to

access

the

protected

object

to

which

this

POP

is

attached.

Use

the

constant

PDPOP_IPAUTH_LEVEL_FORBIDDEN_ALL_NETWORKS

to

deny

access

from

all

networks.

See

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide

for

more

information

about

IP

authentication

POP

policy.

See

the

Javadoc

for

the

PDPop.IPAuthInfo

object

and

its

associated

methods

for

additional

information.

Administering

protected

object

policy

settings

You

can

use

the

administration

API

to

set,

modify,

or

remove

attributes

in

a

POP.

You

must

create

the

POP

object

before

specifying

POP

settings.

You

can

use

administration

API

functions

to

specify

the

following

POP

attributes:

v

Authentication

levels

v

Quality

of

Protection

(QOP)

requirements

v

Auditing

levels

v

Time

of

day

access

restrictions

v

Warning

mode

settings

Authentication

levels

specify

whether

additional

or

alternative

authentication

is

required

to

access

a

protected

object.

The

additional

authentication

is

also

called

step-up

authentication.

This

means

that

an

additional

authentication

step

is

required,

in

order

to

access

resources

that

require

more

restrictive

access

policies.

When

using

step-up

authentication,

you

can

either

filter

users

based

on

IP

address

or

you

can

specify

step-up

authentication

for

all

users,

regardless

of

IP

address.

For

more

information

about

the

use

of

the

authentication

level

by

WebSEAL,

see

the

section

about

authentication

strength

POP

policy

(step-up)

in

the

IBM

Tivoli

Access

Manager

for

e-business

Web

Security

Developer

Reference.

The

quality

of

protection

(QOP)

level

is

not

enforced

internally

by

Tivoli

Access

Manager.

Applications

that

set

the

quality

of

protection

can

enforce

it.

Audit

levels

specify

what

operations

generate

an

audit

record.

This

value

is

used

internally

by

Tivoli

Access

Manager

and

also

can

be

used

by

applications

to

generate

their

audit

records.

36

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

The

time

of

day

access

setting

is

used

to

control

access

to

a

protected

object

based

on

the

time

when

the

access

occurs.

The

warning

mode

enables

a

security

administrator

to

troubleshoot

the

authorization

policy

set

on

the

protected

object

space.

When

you

set

the

warning

attribute

to

yes,

any

action

is

possible

by

any

user

on

the

object

where

the

POP

is

attached.

Any

access

to

an

object

is

permitted

even

if

the

ACL

policy

attached

to

the

object

is

set

to

deny

this

access.

Audit

records

are

generated

that

capture

the

results

of

all

ACL

policies

with

warning

mode

set

throughout

the

object

space.

The

audit

log

shows

the

outcome

of

an

authorization

decision

as

it

would

have

been

made

if

the

warning

attribute

had

been

set

to

no.

Table

18

lists

the

methods

for

administering

protected

object

policy

settings.

Table

18.

Administering

protected

object

policy

settings

Function

Description

PDPop

object.getIPAuthInfo

Gets

the

IP

authentication

level

information

from

the

specified

POP.

PDPop

object.getAuditLevel

Gets

the

audit

level

for

the

specified

POP.

PDPop

object.getQOP

Gets

the

quality

of

protection

(QOP)

level

for

the

specified

POP.

PDPop

object.getTodAccessInfo

Gets

the

time

of

day

range

for

the

specified

POP.

PDPop

object.getWarningMode

Gets

the

warning

mode

value

from

the

specified

POP.

PDPop.removeIPAuthInfo

PDPop

object.removeIPAuthInfo

Removes

the

specified

IP

authentication

level

information

from

the

specified

POP.

PDPop.setIPAuthInfo

PDPop

object.setIPAuthInfo

Sets

the

IP

authentication

level

information

for

the

specified

POP.

PDPop.setAuditLevel

PDPop

object.setAuditLevel

Sets

the

audit

level

for

the

specified

POP.

PDPop.setDescription

PDPop

object.setDescription

Sets

the

description

of

the

specified

POP.

PDPop.setQOP

PDPop

object.setQOP

Sets

the

quality

of

protection

level

for

the

specified

POP.

PDPop.setTodAccessInfo

PDPop

object.setTodAccessInfo

Sets

the

time

of

day

range

for

the

specified

POP.

PDPop.setWarningMode

PDPop

object.setWarningMode

Sets

the

warning

mode

for

the

specified

POP.

Administering

protected

object

policy

extended

attributes

You

can

use

the

administration

API

to

set,

modify,

or

remove

extended

attributes

in

a

POP.

Table

19

on

page

38

lists

the

methods

for

administering

protected

object

policy

extended

attributes

Chapter

6.

Administering

protected

object

policies

37

Table

19.

Administering

protected

object

policy

extended

attributes

Function

Description

PDPop.deleteAttribute

PDPop

object.deleteAttribute

Deletes

the

specified

extended

attribute

from

the

specified

POP.

PDPop.deleteAttributeValue

PDPop

object.deleteAttributeValue

Deletes

the

specified

value

from

the

specified

extended

attribute

key

in

the

specified

POP.

PDPop

object.getAttributeValues

Gets

the

values

for

the

specified

extended

attribute

from

the

specified

POP.

PDPop

object.getAttributeNames

Lists

the

extended

attributes

associated

with

the

specified

POP.

PDPop.setAttributeValue

PDPop

object.setAttributeValue

Sets

the

value

for

the

specified

extended

attribute

in

the

specified

POP.

38

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Chapter

7.

Administering

authorization

rules

Authorization

rules

are

conditions

or

standards

contained

in

an

authorization

policy

that

are

used

to

make

access

decisions

based

upon

attributes

such

as

user,

application,

and

environment

context.

Authorization

rules

are

defined

to

specify

conditions

that

must

be

met

before

access

to

a

protected

object

is

permitted.

A

rule

is

created

using

a

number

of

boolean

conditions

that

are

based

on

data

supplied

to

the

authorization

engine

within

the

user

credential,

from

the

resource

manager

application,

or

from

the

encompassing

business

environment.

A

Tivoli

Access

Manager

authorization

rule

is

a

policy

type

similar

to

an

access

control

list

(ACL)

or

a

protected

object

policy

(POP).

The

rule

is

stored

as

a

text

rule

within

a

rule

policy

object

and

is

attached

to

a

protected

object

in

the

same

way

and

with

the

same

constraints

as

ACLs

and

POPs.

The

Tivoli

Access

Manager

administration

Java

classes

provide

methods

to

create,

delete,

modify,

list

and

get

authorization

rules.

For

more

information

on

authorization

rules,

see

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

Use

the

methods

shown

in

Table

20

to

administer

authorization

rule

objects.

Table

20.

Administering

authorization

rules

Function

Description

PDAuthzRule.createAuthzRule

Creates

the

specified

authorization

rule

object.

PDAuthzRule.deleteAuthzRule

Deletes

the

specified

authorization

rule

object.

PDAuthzRule

constructor

Instantiates

the

specified

authorization

rule

object.

PDAuthzRule

object.getId

Gets

the

ID

for

the

specified

authorization

rule.

PDAuthzRule

object.getDescription

Gets

the

description

for

the

specified

authorization

rule.

PDAuthzRule

object.getFailReason

Gets

the

fail

reason,

if

any,

for

the

specified

authorization

rule.

PDAuthzRule

object.getRuleText

Gets

the

rule

text

for

the

specified

authorization

rule.

PDAuthzRule.listAuthzRules

Lists

all

of

the

registered

authorization

rules.

PDAuthzRule.setDescription

PDAuthzRule

object.setDescription

Sets

the

description

for

the

specified

authorization

rule.

PDAuthzRule.setRuleText

PDAuthzRule

object.setRuleText

Sets

the

authorization

rule

text.

PDAuthzRule.setFailReason

PDAuthzRule

object.setFailReason

Sets

the

authorization

rule

fail

reason.

©

Copyright

IBM

Corp.

2002,

2003

39

40

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Chapter

8.

Administering

single

signon

resources

You

can

use

the

administration

API

to

administer

resources

that

enable

an

IBM

Tivoli

Access

Manager

(Tivoli

Access

Manager)

user

to

obtain

single

signon

(SSO)

capability

across

more

than

one

Web

server.

This

capability

requires

the

use

of

Tivoli

Access

Manager

WebSEAL

junctions.

You

can

use

the

administration

API

to

create,

modify,

examine,

and

delete

the

following

types

of

resources:

v

Administering

Web

resources

v

Administering

resource

groups

v

Administering

resource

credentials

Be

sure

that

you

understand

Tivoli

Access

Manager

single

signon

support

before

you

use

the

administration

API

to

administer

single

signon

resources.

For

more

information

about

administering

single

signon

capability

across

junctioned

Web

server

resources,

see

the

section

about

user

registry

resource

management

commands

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide

and

the

section

about

using

global

signon

(GSO)

in

the

IBM

Tivoli

Access

Manager

for

e-business

Web

Security

Developer

Reference.

This

chapter

contains

the

following

topics:

v

“Administering

Web

resources”

v

“Administering

resource

groups”

on

page

42

v

“Administering

resource

credentials”

on

page

43

Administering

Web

resources

A

Web

resource

is

a

Web

server

that

serves

as

the

backend

of

an

Tivoli

Access

Manager

WebSEAL

junction.

An

application

on

the

joined

Web

server

can

require

users

to

authenticate

specifically

to

the

application.

The

authentication

information,

such

as

user

name

and

password,

often

differs

from

the

authentication

information

used

by

Tivoli

Access

Manager.

The

junctioned

Web

server

thus

requires

an

authenticated

Tivoli

Access

Manager

user

to

log

in

again,

using

the

user

name

and

password

specific

to

the

application

on

the

joined

Web

server.

You

can

use

the

administration

API

to

configure

Tivoli

Access

Manager

so

that

Tivoli

Access

Manager

users

need

to

authenticate

only

one

time.

You

must

define

a

Web

resource

(server)

and

then

define

a

user-specific

resource

credential

that

contains

user-specific

authentication

information

for

the

Web

resource.

This

section

describes

how

to

create,

modify,

and

delete

Web

resources.

Administration

of

resource

credentials

is

described

in

“Administering

resource

credentials”

on

page

43.

Note:

The

administration

API

does

not

perform

all

WebSEAL

junction

configuration

tasks

through

the

API.

Use

the

pdadmin

commands

to

modify

the

junction

definitions.

For

more

information,

see

the

IBM

Tivoli

Access

Manager

for

e-business

WebSEAL

Administration

Guide.

©

Copyright

IBM

Corp.

2002,

2003

41

Table

21

lists

the

methods

for

administering

Web

resources.

Table

21.

Administering

Web

resources

Function

Description

PDSSOResource.createSSOResource

Creates

a

single

signon

Web

resource.

PDSSOResource.deleteSSOResource

Deletes

the

specified

single

signon

Web

resource.

PDSSOResource

constructor

Instantiates

the

specified

single

signon

Web

resource.

PDSSOResource

object.getDescription

Returns

the

description

of

the

specified

single

signon

Web

resource.

PDSSOResource

object.getId

Returns

the

name

(identifier)

of

the

specified

single

signon

Web

resource.

PDSSOResource.listSSOResources

Returns

a

list

of

all

of

the

single

signon

Web

resource

names.

Administering

resource

groups

A

resource

group

is

a

group

of

Web

servers,

all

of

which

have

been

junctioned

to

an

Tivoli

Access

Manager

WebSEAL

server

and

all

of

which

use

the

same

set

of

user

IDs

and

passwords.

You

can

use

the

administration

API

to

create

resource

groups.

You

can

then

create

a

single

resource

credential

for

all

the

resources

in

the

resource

group.

This

enables

you

to

simplify

the

management

of

Web

resources

by

grouping

similar

Web

resources

into

resource

groups.

You

can

also

use

the

administration

API

to

add

more

Web

resources,

when

necessary,

to

an

existing

resource

group.

Table

22

lists

the

methods

for

administering

resource

groups.

Table

22.

Administering

resource

groups

Function

Description

PDSSOResourceGroup.addSSOResource

PDSSOResourceGroup

object.addSSOResource

Adds

a

single

signon

resource

to

a

single

signon

resource

group.

PDSSOResourceGroup.createSSOResourceGroup

Creates

a

single

signon

group

resource.

PDSSOResourceGroup.deleteSSOResourceGroup

Deletes

a

single

signon

group

resource.

PDSSOResourceGroup

constructor

Instantiates

the

specified

single

signon

group

resource.

PDSSOResourceGroup

object.getDescription

Returns

the

description

of

the

single

signon

group

resource.

PDSSOResourceGroup

object.getId

Returns

the

name

of

the

single

signon

group

resource.

PDSSOResourceGroup

object.getSSOResources

Returns

a

list

of

the

member

single

signon

resource

names

for

the

specified

single

signon

group.

PDSSOResourceGroup.listSSOResourceGroups

Returns

a

list

of

all

of

the

single

signon

group

resource

names.

42

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Table

22.

Administering

resource

groups

(continued)

Function

Description

PDSSOResourceGroup.removeSSOResource

PDSSOResourceGroup

object.removeSSOResource

Removes

a

single

signon

resource

from

the

specified

single

signon

resource

group.

Administering

resource

credentials

A

resource

credential

provides

a

user

ID

and

password

for

a

single

signon

user-specific

resource,

such

as

a

Web

server

or

a

group

of

Web

servers.

The

Web

resource

or

group

of

Web

resources

must

exist

before

you

can

apply

resource

credentials

to

it.

Resource

credential

information

is

stored

in

the

user’s

Tivoli

Access

Manager

entry

in

the

user

registry.

You

can

use

the

administration

API

to

create,

modify,

examine,

and

delete

resource

credentials.

Table

23

lists

the

methods

for

administering

credentials.

Table

23.

Administering

credentials

Function

Description

PDSSOCred.createSSOCred

Creates

a

single

signon

credential.

PDSSOCred.deleteSSOCred

Deletes

a

single

signon

credential.

PDSSOCred

constructor

Instantiates

the

specified

single

signon

credential.

PDSSOCred

object.getResourceName

Returns

the

name

of

the

single

signon

resource

associated

with

this

credential.

PDSSOCred

object.getResourcePassword

Returns

the

password

associated

with

this

single

signon

credential.

PDSSOCred

object.getResourceUser

Returns

the

name

of

the

resource

user

associated

with

the

specified

single

signon

credential.

PDSSOCred

object.getResourceType

Returns

the

type

of

the

single

signon

resource

associated

with

the

specified

single

signon

credential.

PDSSOCred

object.getUser

Returns

the

name

of

the

Tivoli

Access

Manager

user

associated

with

this

single

signon

credential.

PDSSOCred.listAndShowSSOCreds

Returns

the

list

of

single

signon

credentials

for

the

specified

user.

PDSSOCred.listSSOCreds

Returns

the

IDs

(user,

resource,

and

type)

of

the

single

signon

credentials

for

the

specified

user.

This

information

is

a

subset

of

that

returned

by

the

listAndShowSSOCreds

method.

PDSSOCred.setSSOCred

PDSSOCred

object.setSSOCred

Modifies

a

single

signon

credential.

Chapter

8.

Administering

single

signon

resources

43

44

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Chapter

9.

Administering

domains

A

Tivoli

Access

Manager

policy

server

domain

consists

of

all

the

physical

resources

that

require

protection

along

with

the

associated

security

policy

used

to

protect

those

resources.

Any

security

policy

implemented

in

a

domain

affects

only

those

resources

in

that

domain.

Multiple

domains

can

exist

simultaneously

within

a

Tivoli

Access

Manager

installation.

Data

is

securely

partitioned

between

domains.

A

user

or

process

must

authenticate

to

a

specific

domain

in

order

to

access

data

contained

within

it.

Each

Tivoli

Access

Manager

installation

contains

a

single

management

domain.

A

user

must

be

authenticated

to

the

management

domain

in

order

to

create,

delete,

list

or

modify

other

domains.

To

specify

the

management

domain

in

methods

that

take

a

domain

argument,

use

the

PDDomain.getMgmtDomainName

method.

Each

Java

Runtime

Environment

(JRE)

may

optionally

be

configured

to

use

a

specific

domain.

This

domain

is

called

the

local

domain.

To

specify

the

local

domain

in

methods

that

take

a

domain

argument,

use

the

PDDomain.getLocalDomainName

method.

If

a

JRE

has

not

been

configured

to

use

a

specific

domain,

the

local

domain

defaults

to

the

management

domain.

The

Java

classes

provide

methods

that

can

be

used

to

manage

domains.

For

more

information

on

the

management

of

domains,

see

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

Table

24

lists

the

methods

for

administering

domains.

Table

24.

Administering

domains

Function

Description

PDDomain.createDomain

Creates

a

new

Tivoli

Access

Manager

domain.

PDDomain.deleteDomain

Deletes

the

specified

Tivoli

Access

Manager

domain.

PDDomain

constructor

Instantiates

the

specified

domain

object.

PDDomain

object.getDescription

Gets

the

description

for

the

specified

Tivoli

Access

Manager

domain.

PDDomain

object.getId

Gets

the

name

of

the

specified

Tivoli

Access

Manager

domain.

PDDomain.listDomains

Lists

the

names

of

all

the

Tivoli

Access

Manager

domains,

with

the

exception

of

the

management

domain.

PDDomain.getLocalDomainName

Gets

the

name

of

the

local

domain.

PDDomain.getMgmtDomainName

Gets

the

name

of

the

management

domain.

PDDomain.setDescription

PDDomain

object.setDescription

Changes

the

description

for

the

specified

Tivoli

Access

Manager

domain.

©

Copyright

IBM

Corp.

2002,

2003

45

46

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Chapter

10.

Configuring

application

servers

You

can

use

the

administration

API

to

configure

and

unconfigure

authorization

and

administration

API

servers,

modify

configuration

parameters,

administer

replicas,

and

perform

certificate

maintenance.

The

com.tivoli.pd.jcfg.SvrSslCfg

class

is

used

to

perform

the

necessary

configuration

steps

that

allow

an

application

to

use

a

secure

sockets

layer

(SSL)

connection

for

communicating

with

the

policy

server

or

the

authorization

server.

It

is

not

intended

to

do

all

of

the

configuration

that

may

be

required

to

ensure

a

correctly

functioning

application.

For

more

information

about

the

com.tivoli.pd.jcfg.SvrSslCfg

class,

see

the

IBM

Tivoli

Access

Manager

for

e-business

Authorization

Java

Classes

Developer

Reference

This

chapter

contains

the

following

topics:

v

“Configuring

application

servers”

v

“Administering

configuration

information”

v

“Certificate

maintenance”

on

page

48

Configuring

application

servers

Use

the

configuration

commands

to

enable

an

application

server

(an

application

that

uses

the

authorization

or

administration

API)

to

communicate

with

the

policy

server

or

the

authorization

server.

An

administrative

user

identity

(for

example,

sec_master)

and

password

must

be

specified

for

connecting

to

the

policy

server.

Table

25.

Configuring

application

servers

Function

Description

PDAppSvrConfig.configureAppSvr

Configures

an

application

server

by

updating

the

configuration

file

and

creating

the

keystore

file.

PDAppSvrConfig.setAppSvrListening

Sets

or

resets

the

enable-listening

parameter

in

the

configuration

file.

PDAppSvrConfig.setAppSvrDbDir

Sets

the

local

policy

database

directory

in

the

configuration

file.

PDAppSvrConfig.setAppSvrDbRefresh

Sets

the

local

policy

database

database

refresh

interval

in

the

configuration

file

PDAppSvrConfig.setAppSvrPort

Changes

the

listening

port

number

of

the

application

in

the

configuration

file.

PDAppSvrConfig.unconfigureAppSvr

Unconfigures

an

application

server.

Administering

configuration

information

Table

26.

Administering

configuration

information

Function

Description

PDAppSvrConfig.addPDServer

Adds

a

replica

entry

to

the

configuration

file.

PDAppSvrConfig.changePDServer

Changes

parameters

of

a

replica

entry

in

the

configuration

file.

©

Copyright

IBM

Corp.

2002,

2003

47

Table

26.

Administering

configuration

information

(continued)

Function

Description

PDAppSvrConfig.removePDServer

Removes

a

replica

entry

from

the

configuration

file.

PDAppSvrConfig.getPDAppSvrInfo

Returns

a

PDAppSvrInfo

object

containing

information

stored

in

the

configuration

file.

PDAppSvrConfig.getKeystoreURL

Returns

the

URL

of

the

keystore

file

that

is

associated

with

the

configuration

file.

Certificate

maintenance

Only

use

the

replaceAppSvrCert

method

when

the

certificate

has

been

compromised.

Table

27.

Certificate

maintenance

Function

Description

PDAppSvrConfig.replaceAppSvrCert

Replaces

the

server

SSL

certificate.

48

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Chapter

11.

Administering

servers

You

can

use

the

administration

API

to

get

a

list

of

tasks

from

the

server,

send

a

specific

task

to

an

authorization

server,

and

notify

replica

databases,

either

automatically

or

manually,

when

the

master

authorization

database

is

updated.

This

chapter

contains

the

following

topics:

v

Getting

and

performing

administration

tasks

v

Notifying

replica

databases

when

the

master

authorization

database

is

updated

Notifying

replica

databases

automatically

Notifying

replica

databases

manually

Setting

the

maximum

number

of

notification

threads

Setting

the

notification

wait

time

Getting

and

performing

administration

tasks

You

can

send

an

administration

task

to

a

server.

You

also

can

request

a

list

of

all

supported

administration

tasks

from

a

server.

The

caller

must

have

credentials

with

sufficient

permission

to

perform

the

task.

For

more

information,

see

the

IBM

Tivoli

Access

Manager

for

e-business

Authorization

C

API

Developer

Reference.

Notifying

replica

databases

when

the

master

authorization

database

is

updated

When

an

administrator

makes

security

policy

changes,

the

policy

server

makes

adjustments

to

the

master

authorization

database

to

reflect

these

changes.

To

ensure

that

these

changes

also

are

dispersed

to

any

authorization

servers

with

replica

databases,

you

can

do

one

or

more

of

the

following:

v

Configure

an

IBM

Tivoli

Access

Manager

(Tivoli

Access

Manager)

application,

such

as

WebSEAL,

to

poll

the

master

authorization

database

at

regular

intervals

for

updates.

By

default,

polling

is

disabled.

For

more

information

about

polling

the

master

authorization

database,

see

the

cache-refresh-interval

option

described

in

the

IBM

Tivoli

Access

Manager

for

e-business

Authorization

C

API

Developer

Reference.

v

Enable

the

policy

server

to

notify

authorization

servers

each

time

that

the

master

authorization

database

is

updated.

This

automatic

process

is

recommended

for

environments

where

database

changes

are

infrequent.

For

more

information,

see

“Notifying

replica

databases

automatically”

on

page

50.

v

Notify

authorization

servers,

on

demand,

after

you

make

updates

to

the

master

authorization

database.

This

manual

process

is

recommended

for

environments

where

database

changes

are

frequent

and

involve

substantial

changes.

For

instructions,

see

“Notifying

replica

databases

manually”

on

page

50.

After

you

select

the

method

that

you

want

to

use

to

update

replica

databases

(automatic,

manual,

or

both),

you

can

fine-tune

settings

in

the

ivmgrd.conf

file

on

the

policy

server.

For

more

information,

see

“Setting

the

maximum

number

of

notification

threads”

on

page

50

and

“Setting

the

notification

wait

time”

on

page

50.

©

Copyright

IBM

Corp.

2002,

2003

49

Notifying

replica

databases

automatically

You

can

enable

the

policy

server

to

send

notifications

to

authorization

servers

each

time

that

the

master

authorization

database

is

updated.

In

turn,

the

authorization

servers

automatically

request

a

database

update

from

the

policy

server.

To

enable

automatic

database

updates,

edit

the

ivmgrd.conf

file

on

the

policy

server

and

add

the

following

attribute=value

pair:

[ivmgrd]

auto-database-update-notify

=

yes

You

must

restart

the

policy

server

for

changes

to

take

effect.

Note

that

this

setting

is

recommended

for

environments

where

the

master

database

is

changed

infrequently.

To

turn

off

automatic

notification,

specify

no.

Notifying

replica

databases

manually

When

the

master

authorization

database

is

updated,

you

can

use

the

PDServer.replicateServer

method

to

send

notification

to

application

servers

that

are

configured

to

receive

database

update

notifications.

You

can

indicate

that

a

specific

server

receive

update

notifications,

or

specify

NULL,

which

notifies

all

configured

authorization

servers

in

the

secure

domain.

If

you

specify

a

server

name,

you

are

notified

whether

the

server

was

replicated

successfully

or

if

a

failure

occurred.

If

you

do

not

specify

a

server

name,

return

codes

indicate

whether

or

not

the

policy

server

started

notifying

authorization

servers

in

your

secure

domain.

Note

that

unless

you

specify

the

server-name

option,

you

are

not

notified

when

an

authorization

server’s

database

was

replicated

successfully.

Setting

the

maximum

number

of

notification

threads

When

the

master

authorization

database

is

updated,

this

update

is

announced

to

replica

databases

through

the

use

of

notification

threads.

Each

replica

then

has

the

responsibility

of

downloading

the

new

data

from

the

master

authorization

database.

You

can

edit

the

ivmgrd.conf

file

to

set

a

value

for

the

maximum

number

of

notification

threads.

This

number

is

calculated

based

on

the

number

of

replica

databases

in

your

secure

domain.

For

example,

if

you

have

10

replica

databases

and

want

to

notify

them

of

master

database

changes

simultaneously,

specify

a

value

of

10

for

the

max-notifier-threads

attribute

as

shown:

[ivmgrd]

max-notifier-threads

=

10

The

default

value

is

10

(threads).

Setting

the

notification

wait

time

There

is

a

time

delay

between

when

the

policy

server

updates

the

master

authorization

database

and

when

notification

is

sent

to

database

replicas.

If

you

added

auto-database-update-notify

=

yes

to

the

ivmgrd.conf

file

as

described

in

“Notifying

replica

databases

automatically”

on

page

50,

you

can

set

this

period

of

time.

To

do

so,

edit

the

notifier-wait-time

value

in

the

ivmgrd.conf

file.

For

example,

if

you

are

making

batch

changes

to

the

master

authorization

database,

it

is

advisable

to

wait

until

all

changes

have

been

made

before

policy

changes

are

sent

to

database

replicas.

Therefore,

you

might

decide

to

increase

the

default

value

from

15

seconds

to

25

seconds

as

shown:

[ivmgrd]

notifier-wait-time

=

25

50

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

By

editing

the

value

for

this

attribute,

the

policy

server

is

prevented

from

sending

individual

replica

notifications

for

each

of

a

series

of

database

changes.

Administrating

servers

and

database

notification

Table

28.

Administrating

servers

and

database

notification

Function

Description

PDServer

constructor

Instantiates

a

server

object.

PDServer

object.getAdminServices

Returns

the

list

of

Administration

Services

registered

by

this

server.

PDServer

object.getDescription

Returns

the

description

of

this

server.

PDServer

object.getHostName

Returns

the

host

name

of

this

server.

PDServer

object.getId

Returns

the

identifier

of

this

server.

PDServer

object.getPort

Returns

the

port

of

this

server.

PDServer

object.getTaskList

Gets

the

list

of

tasks

from

the

server.

PDServer

object.getUserId

Returns

the

user

identifier

of

this

server.

PDServer.listServers

Lists

all

the

registered

servers.

PDServer.performTask

Sends

a

command

to

an

authorization

server.

PDServer.replicateServer

Notifies

authorization

servers

to

receive

database

updates.

Chapter

11.

Administering

servers

51

52

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Appendix

A.

Differences

between

the

C

and

Java

administration

API

If

you

are

familiar

with

the

administration

C

API

described

in

the

IBM

Tivoli

Access

Manager

for

e-business

Administration

C

API

Developer

Reference,

you

should

be

aware

of

several

notable

differences

between

them

and

the

administration

Java

classes

and

methods

described

in

this

document.

In

particular

the

handling

of

security

context

management

and

response

processing

are

different

between

the

two

implementations.

In

addition,

there

are

other

subtle

differences

outlined

in

this

appendix.

Security

context

management

differences

The

ivadmin_context_create3()

function

in

the

C

language

administration

API

creates

a

communication

connection

to

the

Tivoli

Access

Manager

policy

server.

The

context

object

returned

by

this

function

is

tightly

coupled

to

an

actual

Secure

Sockets

Layer

(SSL)

session.

When

the

SSL

session

times

out,

the

user

must

delete

the

context

and

create

a

new

one

in

order

to

re-establish

communication

with

the

policy

server.

Unneeded

contexts

must

be

deleted

on

a

timely

basis

with

ivadmin_context_delete()

to

free

SSL

resources.

This

places

the

onus

on

the

programmer

to

manage

SSL

sessions

through

the

use

of

context

objects

and

the

ivadmin_context_*

APIs.

The

Java

implementation

of

the

context,

using

the

PDContext

object,

hides

the

management

of

the

actual

SSL

sessions

from

the

user.

The

PDContext

object

only

contains

the

information

needed

to

establish

communication

with

the

server:

the

server

location,

the

client’s

authentication

information,

and

the

locale

to

be

used

for

message

translation.

The

PDContext

objects

are

not

tied

to

a

particular

SSL

session.

Instead,

an

SSL

session

is

obtained

when

a

PDContext

object

is

used

in

a

Java

method

invocation.

Tivoli

Access

Manager

manages

the

SSL

sessions

itself

creating

them,

pooling

them,

reusing

them,

and

eventually

deleting

them

without

any

explicit

context

management

from

the

programmer.

Response

processing

differences

Most

of

the

C

language

administration

API

functions

return

a

boolean

value

indicating

the

overall

success

or

failure

of

the

requested

operation.

They

also

return

an

ivadmin_response

object

as

an

output

parameter.

This

response

object

contains

optional

messages

that

can

be

subsequently

processed

using

the

ivadmin_response_*

functions.

The

Java

language

administration

API

methods

throw

a

PDException

exception

on

failure.

Most

methods

provide

a

PDMessages

output

as

an

output

parameter.

This

object

contains

optional

messages

that

can

be

subsequently

processed

using

the

accessor

methods

provided

in

the

PDMessages

object

class.

Additional

differences

The

following

additional

differences

exist

between

the

C

language

and

Java

language

implementations

of

the

Tivoli

Access

Manager

administration

API.

v

The

method

names

in

the

PDUser

and

PDGroup

classes

are

user

registry

neutral.

The

function

names

provided

in

the

administration

C

APIs

are

©

Copyright

IBM

Corp.

2002,

2003

53

Lightweight

Directory

Access

Protocol

(LDAP)

specific.

This

difference

arises

from

the

continuing

support

of

a

wider

range

of

user

registries

in

IBM

Tivoli

Access

Manager

(Tivoli

Access

Manager.)

v

The

user

and

group

names

that

appear

in

the

methods

associated

with

the

PDUser

and

PDGroup

classes

are

structured

to

allow

for

the

possible

future

addition

of

other

user

registries.

v

The

type

field

is

not

supported

in

the

PDProtObject

and

PDProtObjectSpace

classes.

Use

extended

attributes

to

provide

equivalent

function.

This

difference

arises

from

the

confusion

caused

by

the

type

field

on

the

administration

C

APIs

not

being

used

internally

by

Tivoli

SecureWay

Policy

Director

in

the

past.

v

The

administration

Java

classes

and

methods

provide

both

certificate-based

and

user

ID

and

password-based

authentication.

The

administration

C

API

only

provides

user

ID

and

password-based

authentication.

v

The

svrsslcfg

command

line

interface

(CLI)

only

can

be

used

for

applications

written

using

the

administration

C

API.

For

Java

applications,

use

the

com.tivoli.pd.jcfg.SvrSslCfg

Java

class

instead.

v

Policy

information,

such

as

maximum

password

age,

is

encapsulated

in

a

PDPolicy

class

instead

of

being

defined

in

the

user

and

context

objects

as

it

is

in

the

administration

C

API.

The

function

provided

is

the

same

whether

using

the

Java

classes

or

the

C

API.

v

When

using

the

administration

C

APIs,

the

user

must

renegotiate

the

security

context

when

a

session

time

out

occurs.

The

PDContext

class

handles

this

processing

automatically.

v

There

is

no

equivalent

Java

method

for

ivadmin_context_delete().

Managing

security

contexts

is

handled

automatically

by

the

Java

transport

layer.

54

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Appendix

B.

Deprecated

Java

classes

and

methods

The

classes

and

methods

listed

in

Table

29

have

been

deprecated

in

IBM

Tivoli

Access

Manager

Version

5.1.

Existing

Java

applications

should

be

changed

to

use

the

replacement

class

or

method

indicated.

Table

29.

Deprecated

Java

Classes

and

Methods

Deprecated

Class

or

Method

Replacement

Class

or

Method

com.tivoli.mts.PDAttrs

com.tivoli.pd.jutil.PDAttrs

com.tivoli.pd.jutil.PDAttrs.add(java.lang.String,

PDAttrValues)

com.tivoli.pd.jutil.PDAttrs.add(

java.lang.String,

java.util.Collection)

com.tivoli.pd.jutil.PDAttrs.get(

java.lang.String)

com.tivoli.pd.jutil.PDAttrs.getValues(java.lang.String)

com.tivoli.mts.PDAttrValue

com.tivoli.pd.jutil.PDAttrValue

com.tivoli.mts.PDAttrValueList

com.tivoli.pd.jutil.PDAttrValueList

com.tivoli.mts.PDStatics

com.tivoli.pd.jutil.PDStatics

com.tivoli.mts.SvrSslCfg

com.tivoli.pd.jcfg.SvrSslCfg

com.tivoli.pd.PDAppSvrConfig.configureAppSvr(

java.lang.String,

char[],

java.lang.String,

com.tivoli.pd.jadmin.PDAppSvrSpec,

java.net.URL,

java.net.URL,

int,

java.util.Locale,

com.tivoli.pd.jutil.PDMessages)

com.tivoli.pd.PDAppSvrConfig.configureAppSvr(

java.lang.String,

char[],

java.lang.String,

com.tivoli.pd.jadmin.PDAppSvrSpec,

java.net.URL,

java.net.URL,

int,

java.util.Locale,

java.lang.String,

com.tivoli.pd.jutil.PDMessages)

com.tivoli.pd.jadmin.PDProtObject

constructor

(com.tivoli.pd.jutil.PDContext,

java.lang.String,

com.tivoli.mts.PDAttrs,

com.tivoli.mts.PDAttrs,

com.tivoli.pd.jutil.PDMessages)

com.tivoli.pd.jadmin.PDProtObject

constructor

(com.tivoli.pd.jutil.PDContext,

java.lang.String,

com.tivoli.pd.jutil.PDAttrs,

com.tivoli.pd.jutil.PDAttrs,

com.tivoli.pd.jutil.PDMessages)

com.tivoli.pd.jadmin.PDProtObject.createProtObject(

com.tivoli.pd.jutil.PDContext,

java.lang.String,java.lang.String,

boolean

,

java.lang.String

,

com.tivoli.mts.PDAttrs,

com.tivoli.pd.jutil.PDMessages)

com.tivoli.pd.jadmin.PDProtObject.createProtObject(

com.tivoli.pd.jutil.PDContext,

java.lang.String,java.lang.String,

boolean

,

java.lang.String

,

com.tivoli.pd.jutil.PDAttrs,

com.tivoli.pd.jutil.PDMessages)

com.tivoli.pd.jadmin.PDProtObject.listProtectedObjects

(

com.tivoli.pd.jutil.PDContext,

java.lang.String,

com.tivoli.mts.PDAttrs,

com.tivoli.mts.PDAttrs,

com.tivoli.pd.jutil.PDMessages)

com.tivoli.pd.jadmin.PDProtObject.listProtectedObjects

(

com.tivoli.pd.jutil.PDContext,

java.lang.String,

com.tivoli.pd.jutil.PDAttrs,

com.tivoli.pd.jutil.PDAttrs,

com.tivoli.pd.jutil.PDMessages)

com.tivoli.pd.jadmin.PDServer.performTask(

com.tivoli.pd.jutil.PDContext,

java.lang.String,

java.lang.String,

com.tivoli.mts.PDAttrs,

com.tivoli.mts.PDAttrs,

com.tivoli.pd.jutil.PDMessages)

com.tivoli.pd.jadmin.PDServer.performTask(

com.tivoli.pd.jutil.PDContext,

java.lang.String,

java.lang.String,

com.tivoli.pd.jutil.PDAttrs,

com.tivoli.pd.jutil.PDAttrs,

com.tivoli.pd.jutil.PDMessages)

com.tivoli.pd.jadmin.PDServer.getTaskList(

com.tivoli.pd.jutil.PDContext,

java.lang.String,

com.tivoli.mts.PDAttrs,

com.tivoli.mts.PDAttrs,

com.tivoli.pd.jutil.PDMessages)

com.tivoli.pd.jadmin.PDServer.getTaskList(

com.tivoli.pd.jutil.PDContext,

java.lang.String,

com.tivoli.pd.jutil.PDAttrs,

com.tivoli.pd.jutil.PDAttrs,

com.tivoli.pd.jutil.PDMessages)

PDProtObject.getAcl

PDProtObject.getAclId

PDProtObject.getPop

PDProtObject.getPopId

PDProtObject.getAuthzRule

PDProtObject.getAuthzRuleId

©

Copyright

IBM

Corp.

2002,

2003

55

56

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Appendix

C.

User

registry

differences

The

following

user

registry

differences

are

known

to

exist

in

this

version

of

IBM

Tivoli

Access

Manager

(Tivoli

Access

Manager.)

1.

When

Tivoli

Access

Manager

is

using

either

Microsoft

Active

Directory

or

a

Lotus

Domino

server

as

its

user

registry,

only

a

single

domain

is

supported.

Use

an

LDAP

user

registry

if

you

wish

to

take

advantage

of

the

multi-domain

support

in

Tivoli

Access

Manager.

2.

Tivoli

Access

Manager

does

not

support

cross

domain

group

membership

or

universal

groups

when

using

Microsoft

Active

Directory

as

its

user

registry.

Importing

such

groups

into

Tivoli

Access

Manager

is

not

supported.

3.

When

the

Tivoli

Access

Manager

policy

server

is

using

either

Microsoft

Active

Directory

or

a

Lotus

Domino

server

as

its

user

registry,

existing

Tivoli

SecureWay

Policy

Director,

Version

3.8

clients

are

not

able

to

connect

to

the

policy

server.

Either

use

a

different

user

registry

or

upgrade

the

clients

to

Tivoli

Access

Manager.

4.

Users

created

in

a

Lotus

Domino

server

or

Microsoft

Active

Directory

user

registry

are

automatically

given

the

capability

to

own

single

signon

credentials

and

this

capability

can

not

be

removed.

When

using

an

LDAP

user

registry,

this

capability

must

be

explicitly

granted

to

a

user

and

subsequently

can

be

removed.

5.

Leading

and

trailing

blanks

in

user

names

and

group

names

are

ignored

when

using

LDAP

or

Microsoft

Active

Directory

as

the

user

registry

in

an

Tivoli

Access

Manager

secure

domain.

However,

when

using

a

Lotus

Domino

server

as

a

user

registry,

leading

and

trailing

blanks

are

significant.

To

ensure

that

processing

is

consistent

regardless

of

what

user

registry

is

being

used,

define

users

and

groups

in

the

user

registry

without

leading

or

trailing

blanks

in

their

names.

6.

The

forward

slash

character

(/)

should

be

avoided

in

user

and

group

names

defined

using

distinguished

name

strings.

The

forward

slash

character

is

treated

differently

in

different

user

registries:

Lotus

Domino

server

Users

and

groups

can

not

be

created

with

names

using

a

distinguished

name

string

containing

a

forward

slash

character.

To

avoid

the

problem,

either

do

not

use

a

forward

slash

character

or

define

the

user

without

using

the

distinguished

name

designation:

pdadmin

user

create

myuser

username/locinfo

test

test

testpwd

instead

of

using

this

one:

pdadmin

user

create

myuser

cn=username/o=locinfo

test

test

testpwd

Microsoft

Active

Directory

Users

and

groups

can

be

created

with

names

using

a

distinguished

name

string

containing

a

forward

slash

character.

However,

subsequent

operations

on

the

object

might

fail

as

some

Active

Directory

functions

interpret

the

forward

slash

character

as

a

separator

between

the

object

name

and

the

host

name.

To

avoid

the

problem,

do

not

use

a

forward

slash

character

to

define

the

user.

7.

When

using

a

multi-domain

Microsoft

Active

Directory

user

registry,

multiple

users

and

groups

can

be

defined

with

the

same

short

name

as

long

as

they

©

Copyright

IBM

Corp.

2002,

2003

57

reside

in

different

domains.

However,

the

full

name

of

the

user

or

group,

including

the

domain

suffix,

must

always

be

specified

to

Tivoli

Access

Manager.

8.

When

using

iPlanet

Version

5.0

as

the

user

registry,

a

user

that

is

created,

added

to

a

group,

and

then

deleted

from

the

user

registry

retains

its

group

membership.

If

a

user

with

the

same

name

is

created

at

some

later

time,

the

new

user

automatically

inherits

the

old

group

membership

and

might

be

given

inappropriate

permissions.

It

is

strongly

recommended

that

the

user

be

removed

from

all

groups

before

the

user

is

deleted.

This

problem

does

not

occur

when

using

the

other

supported

user

registries.

9.

Attempting

to

add

a

single

duplicate

user

to

a

group

does

not

produce

an

error

when

an

LDAP

user

registry

is

being

used.

However,

an

error

is

properly

reflected

when

using

Lotus

Domino

server

or

Microsoft

Active

Directory.

10.

The

Tivoli

Access

Manager

authorization

API

provides

a

credentials

attribute

entitlements

service.

This

service

is

used

to

retrieve

user

attributes

from

a

user

registry.

When

this

service

is

used

with

an

LDAP

user

registry,

the

retrieved

attributes

can

be

either

string

or

binary

data.

However,

when

this

service

is

used

with

a

Microsoft

Active

Directory

or

Lotus

Domino

user

registry,

the

retrieved

attributes

can

be

either

string,

binary

or

integer

data.

11.

The

maximum

lengths

of

various

names

associated

with

Tivoli

Access

Manager

vary

depending

on

the

user

registry

being

used.

See

Table

30

for

a

comparison

of

the

maximum

lengths

allowed

and

the

recommended

maximum

length

to

use

to

ensure

compatibility

with

all

the

user

registries

supported

by

Tivoli

Access

Manager.

Table

30.

Maximum

lengths

for

names

based

on

user

registry

Maximum

length

of:

LDAP

Microsoft

Active

Directory

Lotus

Domino

server

Recommended

maximum

value

First

name

(LDAP

CN)

256

64

960

64

Middle

name

128

64

65535

64

Last

name

(surname)

128

64

960

64

Registry

UID

(LDAP

DN)

1024

2048

255

This

value

is

user

registry-specific

and

must

be

changed

when

changing

user

registries.

Tivoli

Access

Manager

user

identity

256

2048

-

1

-

length_of_

domain_name

200

-

4

-

length_of_

domain_name

This

value

is

user

registry-specific

and

must

be

changed

when

changing

user

registries.

User

password

unlimited

256

unlimited

256

User

description

1024

1024

1024

1024

Group

name

256

256

Group

description

1024

1024

1024

1024

58

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Table

30.

Maximum

lengths

for

names

based

on

user

registry

(continued)

Maximum

length

of:

LDAP

Microsoft

Active

Directory

Lotus

Domino

server

Recommended

maximum

value

Single

signon

resource

name

240

256

256

240

Single

signon

resource

description

1024

1024

1024

1024

Single

signon

user

ID

240

256

256

240

Single

signon

password

unlimited

256

unlimited

256

Single

signon

group

name

240

256

256

240

Single

signon

group

description

1024

1024

1024

1024

Action

name

1

1

1

1

Action

description,

action

type

unlimited

unlimited

unlimited

Object

name,

object

space

name,

ACL

name,

POP

name

unlimited

unlimited

unlimited

Object

description,

object

space

description,

ACL

description,

POP

description

unlimited

unlimited

unlimited

Even

though

some

names

can

be

of

unlimited

length,

excessive

lengths

can

result

in

policy

that

is

difficult

to

manage

and

might

result

in

poor

system

performance.

Choose

maximum

values

that

are

logical

for

your

environment.

Appendix

C.

User

registry

differences

59

60

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Appendix

D.

Administration

API

equivalents

This

appendix

shows

the

mapping

that

exists

between

the

administration

C

API

functions,

the

administration

Java

classes

and

methods,

the

command

line

interface

(CLI),

and

Web

Portal

Manager.

In

some

cases,

a

given

operation

can

be

performed

different

ways.

Note

that

in

some

cases

two

or

more

method

calls

might

be

necessary

to

achieve

the

same

effect

as

a

single

C

API

function.

Information

about

the

administration

C

API

can

be

found

in

the

IBM

Tivoli

Access

Manager

for

e-business

Administration

C

API

Developer

Reference.

Information

about

the

pdadmin

command

line

interface

can

be

found

in

the

IBM

Tivoli

Access

Manager

for

e-business

Command

Reference.

Information

on

Web

Portal

Manager

can

be

found

in

its

online

help

and

in

the

IBM

Tivoli

Access

Manager

Base

Administration

Guide.

©

Copyright

IBM

Corp.

2002,

2003

61

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_acl

_att

rdel

key

()

PD

Acl

.del

eteA

ttri

bu

te

PD

Acl

obje

ct.d

elet

eAtt

rib

ute

pdad

min

acl

modi

fy

acl_

name

dele

te

attr

ibut

e

attr

ibut

e_na

me

AC

L

Lis

t

AC

L

sele

ct

AC

L

nam

e

Ext

end

ed

Att

rib

ute

tab

sele

ct

attr

ibut

e

Del

ete

ivad

min

_acl

_att

rdel

val(

)

PD

Acl

.del

eteA

ttri

bu

teV

alu

e

PD

Acl

obje

ct.d

elet

eAtt

rib

ute

Val

ue

pdad

min

acl

modi

fy

acl_

name

dele

te

attr

ibut

e

attr

ibut

e_na

me

attr

ibut

e_va

lue

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

Ext

end

ed

Att

rib

ute

tab

sele

ct

attr

ibut

es

Del

ete

ivad

min

_acl

_att

rget

()

PD

Acl

obje

ct.g

etA

ttri

bu

teV

alu

es

pdad

min

acl

show

acl_

name

attr

ibut

e

attr

ibut

e_na

me

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

Ext

end

ed

Att

rib

ute

tab

ivad

min

_acl

_att

rlis

t()

PD

Acl

obje

ct.g

etA

ttri

bu

teN

ames

pdad

min

acl

list

acl_

name

attr

ibut

e

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

Ext

end

ed

Att

rib

ute

tab

ivad

min

_acl

_att

rpu

t()

PD

Acl

.set

Att

rib

ute

Val

ue

PD

Acl

obje

ct.s

etA

ttri

bu

teV

alu

e

pdad

min

acl

modi

fy

acl_

name

set

attr

ibut

e

attr

ibut

e_na

me

attr

ibut

e_va

lue

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

Ext

end

ed

Att

rib

ute

tab

Cre

ate

ivad

min

_acl

_cre

ate(

)

PD

Acl

.cre

ateA

cl

pdad

min

acl

crea

te

acl_

name

AC

L

Cre

ate

AC

L

ivad

min

_acl

_del

ete(

)

PD

Acl

.del

eteA

cl

pdad

min

acl

dele

te

acl_

name

AC

L

Lis

t

AC

L

sele

ct

AC

L

nam

es

Del

ete

ivad

min

_acl

_get

()

PD

Acl

cons

truc

tor

pdad

min

acl

show

acl_

name

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

ivad

min

_acl

_get

anyo

ther

()

PD

Acl

obje

ct.g

etP

DA

clE

ntr

yAn

yOth

er

pdad

min

acl

show

any-

othe

r

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

ivad

min

_acl

_get

des

crip

tion

()

PD

Acl

obje

ct.g

etD

escr

ipti

on

pdad

min

acl

show

acl_

name

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

ivad

min

_acl

_get

grou

p()

PD

Acl

obje

ct.g

etP

DA

clE

ntr

iesG

rou

p

pdad

min

acl

show

acl_

name

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

ivad

min

_acl

_get

id()

PD

Acl

obje

ct.g

etId

pdad

min

acl

show

acl_

name

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

ivad

min

_acl

_get

un

auth

()

PD

Acl

obje

ct.g

etP

DA

clE

ntr

yUn

Au

th

pdad

min

acl

show

acl_

name

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

62

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_acl

_get

use

r()

PD

Acl

obje

ct.g

etP

DA

clE

ntr

iesU

ser

pdad

min

acl

show

acl_

name

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

ivad

min

_acl

_lis

t()

PD

Acl

.list

Acl

s

pdad

min

acl

list

AC

L

Lis

t

AC

L

ivad

min

_acl

_lis

tgro

up

s()

PD

Acl

obje

ct.g

etP

DA

clE

ntr

iesG

rou

p

pdad

min

acl

show

acl_

name

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

ivad

min

_acl

_lis

tuse

rs()

PD

Acl

obje

ct.g

etP

DA

clE

ntr

iesU

ser

pdad

min

acl

show

acl_

name

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

ivad

min

_acl

_rem

ovea

nyo

ther

()

PD

Acl

.rem

oveP

DA

clE

ntr

yAn

yOth

er

PD

Acl

obje

ct.r

emov

ePD

Acl

En

tryA

nyO

ther

pdad

min

acl

modi

fy

acl_

name

remo

ve

any-

othe

r

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

sele

ct

An

y-ot

her

AC

L

En

try

Del

ete

ivad

min

_acl

_rem

oveg

rou

p()

PD

Acl

.rem

oveP

DA

clE

ntr

yGro

up

PD

Acl

obje

ct.r

emov

ePD

Acl

En

tryG

rou

p

pdad

min

acl

modi

fy

acl_

name

remo

ve

grou

p

grou

p_na

me

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

sele

ct

Gro

up

AC

L

En

try

Del

ete

ivad

min

_acl

_rem

oveu

nau

th()

PD

Acl

.rem

oveP

DA

clE

ntr

yUn

Au

th

PD

Acl

obje

ct.r

emov

ePD

Acl

En

tryU

nA

uth

pdad

min

acl

modi

fy

acl_

name

remo

ve

unau

then

tica

ted

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

sele

ct

Un

auth

enti

cate

d

AC

L

En

try

Del

ete

ivad

min

_acl

_rem

oveu

ser(

)

PD

Acl

.rem

oveP

DA

clE

ntr

yUse

r

PD

Acl

obje

ct.r

emov

ePD

Acl

En

tryU

ser

pdad

min

acl

modi

fy

acl_

name

remo

ve

user

user

_nam

e

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

sele

ct

Use

r

AC

L

En

try

Del

ete

ivad

min

_acl

_set

anyo

ther

()

PD

Acl

.set

PD

Acl

En

tryA

nyO

ther

PD

Acl

obje

ct.s

etP

DA

clE

ntr

yAn

yOth

er

pdad

min

acl

modi

fy

acl_

name

set

any-

othe

r

perm

s

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

clic

k

An

y-ot

her

Per

mis

sion

s

sele

ct

perm

issi

ons

Ap

ply

ivad

min

_acl

_set

des

crip

tion

()

PD

Acl

.set

Des

crip

tion

PD

Acl

obje

ct.s

etD

escr

ipti

on

pdad

min

acl

modi

fy

acl_

name

desc

ript

ion

desc

ript

ion

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

mod

ify

Des

crip

tion

Set

ivad

min

_acl

_set

grou

p()

PD

Acl

.set

PD

Acl

En

tryG

rou

p

PD

Acl

obje

ct.s

etP

DA

clE

ntr

yGro

up

pdad

min

acl

modi

fy

acl_

name

set

grou

p

grou

p_na

me

perm

s

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

Cre

ate

choo

se

En

try

Typ

e

Gro

up

spec

ify

nam

e

of

grou

p

sele

ct

perm

issi

ons

Ap

ply

Appendix

D.

Administration

API

equivalents

63

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_acl

_set

un

auth

()

PD

Acl

.set

PD

Acl

En

tryU

nA

uth

PD

Acl

obje

ct.s

etP

DA

clE

ntr

yUn

Au

th

pdad

min

acl

modi

fy

acl_

name

set

unau

then

tica

ted

perm

s

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

Cre

ate

choo

se

En

try

Typ

e

Un

auth

enti

cate

d

sele

ct

perm

issi

ons

Ap

ply

ivad

min

_acl

_set

use

r()

PD

Acl

.set

PD

Acl

En

tryU

ser

PD

Acl

obje

ct.s

etP

DA

clE

ntr

yUse

r

pdad

min

acl

modi

fy

acl_

name

set

user

user

_nam

e

perm

s

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

Cre

ate

choo

se

En

try

Typ

e

Use

r

spec

ify

nam

e

of

Use

r

sele

ct

perm

issi

ons

Ap

ply

ivad

min

_act

ion

_cre

ate(

)

PD

Act

ion

.cre

ateA

ctio

n

pdad

min

acti

on

crea

te

name

desc

ript

ion

acti

on_t

ype

AC

L

Lis

t

Act

ion

Gro

up

s

clic

k

prim

ary

Act

ion

Gro

up

Cre

ate

fill

in

form

Cre

ate

ivad

min

_act

ion

_cre

ate_

in_g

rou

p()

PD

Act

ion

.cre

ateA

ctio

n

pdad

min

acti

on

crea

te

name

desc

ript

ion

acti

on_t

ype

acti

on_g

roup

_nam

e

AC

L

Lis

t

Act

ion

Gro

up

s

clic

k

Act

ion

Gro

up

Cre

ate

fill

in

form

Cre

ate

ivad

min

_act

ion

_del

ete(

)

PD

Act

ion

.del

eteA

ctio

n

pdad

min

acti

on

dele

te

name

AC

L

Lis

t

Act

ion

Gro

up

s

sele

ct

prim

ary

acti

on

grou

p

sele

ct

acti

ons

Del

ete

ivad

min

_act

ion

_del

ete_

from

_gro

up

()

PD

Act

ion

.del

eteA

ctio

n

pdad

min

acti

on

dele

te

name

acti

on_g

roup

_nam

e

AC

L

Lis

t

Act

ion

Gro

up

s

clic

k

Act

ion

Gro

up

sele

ct

acti

ons

Del

ete

ivad

min

_act

ion

_get

des

crip

tion

()

PD

Act

ion

obje

ct.g

etD

escr

ipti

on

pdad

min

acti

on

list

AC

L

Lis

t

Act

ion

Gro

up

s

clic

k

prim

ary

acti

on

grou

p

ivad

min

_act

ion

_get

id()

PD

Act

ion

obje

ct.g

etId

pdad

min

acti

on

list

AC

L

Lis

t

Act

ion

Gro

up

s

clic

k

prim

ary

acti

on

grou

p

ivad

min

_act

ion

_get

typ

e()

PD

Act

ion

obje

ct.g

etTy

pe

pdad

min

acti

on

list

AC

L

Lis

t

Act

ion

Gro

up

s

clic

k

prim

ary

acti

on

grou

p

ivad

min

_act

ion

_gro

up

_cre

ate(

)

PD

Act

ion

Gro

up

.cre

ateA

ctio

nG

rou

p

pdad

min

acti

on

grou

p

crea

te

acti

on_g

roup

_nam

e

AC

L

Cre

ate

Act

ion

Gro

up

ivad

min

_act

ion

_gro

up

_del

ete(

)

PD

Act

ion

Gro

up

.del

eteA

ctio

nG

rou

p

pdad

min

acti

on

grou

p

dele

te

acti

on_g

roup

_nam

e

AC

L

Lis

t

Act

ion

Gro

up

s

sele

ct

acti

on

grou

ps

Del

ete

ivad

min

_act

ion

_gro

up

_lis

t()

PD

Act

ion

Gro

up

.list

Act

ion

Gro

up

s

pdad

min

acti

on

grou

p

list

AC

L

Lis

t

Act

ion

Gro

up

s

64

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_act

ion

_lis

t()

PD

Act

ion

.list

Act

ion

s

pdad

min

acti

on

list

AC

L

Lis

t

Act

ion

Gro

up

s

clic

k

prim

ary

acti

on

grou

p

ivad

min

_act

ion

_lis

t_in

_gro

up

()

PD

Act

ion

.list

Act

ion

s

pdad

min

acti

on

list

acti

on_g

roup

_nam

e

AC

L

Lis

t

Act

ion

Gro

up

s

clic

k

Act

ion

Gro

up

ivad

min

_au

thzr

ule

_cre

ate(

)

PD

Au

thzR

ule

.cre

ateA

uth

zRu

le

pdad

min

auth

zrul

e

crea

te

rule

_nam

e

rule

_tex

t

[

—des

c

desc

ript

ion

]

[

—fai

lrea

son

fail

reas

on

]

Au

thzR

ule

Cre

ate

Au

thzR

ule

ivad

min

_au

thzr

ule

_del

ete(

)

PD

Au

thzR

ule

.del

eteA

uth

zRu

le

pdad

min

auth

zrul

e

dele

te

rule

_nam

e

Au

thzR

ule

Lis

t

Au

thzR

ule

sele

ct

Aut

hzR

ule

nam

es

Del

ete

ivad

min

_au

thzr

ule

_get

()

PD

Au

thzR

ule

cons

truc

tor

pdad

min

auth

zrul

e

show

rule

_nam

e

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

ivad

min

_au

thzr

ule

_get

des

crip

tion

()

PD

Aut

hzR

ule

obje

ct.g

etD

escr

ipti

on

pdad

min

auth

zrul

e

show

rule

_nam

e

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

ivad

min

_au

thzr

ule

_get

fail

reas

on()

PD

Aut

hzR

ule

obje

ct.g

etFa

ilR

easo

n

pdad

min

auth

zrul

e

show

rule

_nam

e

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

ivad

min

_au

thzr

ule

_get

id()

PD

Aut

hzR

ule

obje

ct.g

etID

pdad

min

auth

zrul

e

show

rule

_nam

e

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

ivad

min

_au

thzr

ule

_get

rule

text

()

PD

Aut

hzR

ule

obje

ct.g

etR

ule

Text

pdad

min

auth

zrul

e

show

rule

_nam

e

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

ivad

min

_au

thzr

ule

_lis

t()

PD

Au

thzR

ule

.list

Au

thzR

ule

s

pdad

min

auth

zrul

e

list

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

ivad

min

_au

thzr

ule

_set

des

crip

tion

()

PD

Au

thzR

ule

.set

Des

crip

tion

PD

Aut

hzR

ule

obje

ct.s

etD

escr

ipti

on

pdad

min

auth

zrul

e

modi

fy

rule

_nam

e

desc

ript

ion

desc

ript

ion

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

Gen

eral

tab

mod

ify

fiel

ds

Ap

ply

ivad

min

_au

thzr

ule

_set

fail

reas

on()

PD

Au

thzR

ule

.set

Fail

Rea

son

PD

Aut

hzR

ule

obje

ct.s

etFa

ilR

easo

n

pdad

min

auth

zrul

e

modi

fy

rule

_nam

e

fail

reas

on

fail

reas

on

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

Gen

eral

tab

mod

ify

fiel

ds

Ap

ply

Appendix

D.

Administration

API

equivalents

65

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_au

thzr

ule

_set

rule

text

()

PD

Au

thzR

ule

.set

Ru

leTe

xt

PD

Aut

hzR

ule

obje

ct.s

etR

ule

Text

pdad

min

auth

zrul

e

modi

fy

rule

_nam

e

rule

text

rule

text

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

Gen

eral

tab

mod

ify

fiel

ds

Ap

ply

ivad

min

_cfg

_ad

dre

pli

ca2(

)

PD

Ap

pS

vrC

onfi

g.ad

dP

DS

erve

r

svrs

slcf

g

-add

_rep

lica

-f

cfg_

file

-h

host

_nam

e

[-p

port

]

[-k

rank

]

Not

supp

orte

d..

ivad

min

_cfg

_ch

grep

lica

2()

PD

Ap

pS

vrC

onfi

g.ch

ange

PD

Ser

ver

svrs

slcf

g

-chg

_rep

lica

-f

cfg_

file

-h

host

_nam

e

[-p

port

]

[-k

rank

]

Not

supp

orte

d.

ivad

min

_cfg

_con

figu

rese

rver

3()

PD

Ap

pS

vrC

onfi

g.co

nfi

gure

Ap

pS

vr

svrs

slcf

g

-con

fig

-f

cfg_

file

-d

kdb_

dir_

name

-n

serv

er_n

ame

...

Not

supp

orte

d.

ivad

min

_cfg

_get

valu

e()

Not

supp

orte

d

at

this

tim

e.

pdad

min

conf

ig

show

conf

ig_f

ile

stan

za

Not

supp

orte

d.

ivad

min

_cfg

_rem

ovev

alu

e()

Not

supp

orte

d

at

this

tim

e.

pdad

min

conf

ig

mod

ify

keyv

alue

rem

ove

conf

ig_f

ile

stan

za

key

[

valu

e

]

Not

supp

orte

d.

ivad

min

_cfg

_ren

ewse

rver

cert

()

PD

Ap

pS

vrC

onfi

g.re

pla

ceA

pp

Svr

Cer

t

svrs

slcf

g

-chg

cert

-f

cfg_

file

-n

serv

er_n

ame

[-A

admi

n_ID

]

-P

admi

n_pw

d

Not

supp

orte

d.

ivad

min

_cfg

_rm

vrep

lica

2()

PD

Ap

pS

vrC

onfi

g.re

mov

ePD

Ser

ver

svrs

slcf

g

-rmv

_rep

lica

-f

cfg_

file

-h

host

_nam

e

[-p

port

]

[-k

rank

]

Not

supp

orte

d.

ivad

min

_cfg

_set

app

lica

tion

cert

2()

Not

supp

orte

d

at

this

tim

e.

svrs

slcf

g

-mod

ify

-f

cfg_

file

[-t

time

out]

[-C

cert

_fil

e]

[-l

list

enin

g_mo

de]

Not

supp

orte

d.

ivad

min

_cfg

_set

key

rin

gpw

d2(

)

Not

appl

icab

le.

svrs

slcf

g

-chg

pwd

-f

cfg_

file

-n

serv

er_n

ame

[-A

admi

n_ID

]

[-P

admi

n_pw

d]

Not

supp

orte

d.

ivad

min

_cfg

_set

list

enin

g2()

PD

Ap

pS

vrC

onfi

g.se

tAp

pS

vrL

iste

nin

g

svrs

slcf

g

-f

cfg_

file

-mod

ify

-l

yes

Not

supp

orte

d.

66

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_cfg

_set

por

t2()

PD

Ap

pS

vrC

onfi

g.se

tAp

pS

vrP

ort

svrs

slcf

g

-con

fig

-f

cfg_

file

-d

kdb_

dir_

name

-n

serv

er_n

ame

...

Not

supp

orte

d.

ivad

min

_cfg

_set

sslt

imeo

ut2

()

Not

supp

orte

d

at

this

tim

e.

svrs

slcf

g

-mod

ify

-f

cfg_

file

-t

time

out

[-C

cert

_fil

e]

[-l

list

enin

g_mo

de]

Not

supp

orte

d.

ivad

min

_cfg

_set

svrp

wd

()

Not

supp

orte

d

at

this

tim

e.

pdad

min

conf

ig

mod

ify

svrp

assw

ord

conf

ig_f

ile

pass

wor

d

Not

supp

orte

d.

ivad

min

_cfg

_set

valu

e()

Not

supp

orte

d

at

this

tim

e.

pdad

min

conf

ig

mod

ify

keyv

alue

{

set

|

appe

nd

}

[

–obf

usca

te

]

conf

ig_f

ile

stan

za

key

valu

e

Not

supp

orte

d.

ivad

min

_cfg

_un

con

figu

rese

rver

()

PD

Ap

pS

vrC

onfi

g.u

nco

nfi

gure

Ap

pS

vr

svrs

slcf

g

-unc

onfi

g

-f

cfg_

file

-n

serv

er_n

ame

[-A

admi

n_ID

]

-P

admi

n_pw

d

Not

supp

orte

d.

ivad

min

_con

text

_cle

ard

elcr

ed()

PD

Con

text

obje

ct.c

lear

Del

egat

edC

red

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_con

text

_cre

ate3

()

PD

Con

text

cons

truc

tor

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_con

text

_cre

ated

efau

lt2(

)

PD

Con

text

cons

truc

tor

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_con

text

_cre

atel

ocal

()

Not

supp

orte

d

at

this

tim

e.

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_con

text

_del

ete(

)

PD

Con

text

obje

ct.c

lose

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_con

text

_dom

ain

ism

anag

emen

t()

PD

Con

text

obje

ct.d

omai

nIs

Man

agem

ent

pdad

min

cont

ext

show

Not

supp

orte

d.

ivad

min

_con

text

_get

acce

xpd

ate(

)

PD

Pol

icy

obje

ct.g

etA

cctE

xpD

ate

pdad

min

poli

cy

get

acco

unt-

expi

ry-d

ate

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Acc

oun

t

Exp

irat

ion

Dat

e

ivad

min

_con

text

_get

cod

eset

()

PD

Con

text

obje

ct.g

etL

ocal

e

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_con

text

_get

dis

able

tim

ein

t()

PD

Pol

icy

obje

ct.g

etA

cctD

isab

leT

imeI

nte

rval

pdad

min

poli

cy

get

disa

ble-

time

-int

erva

l

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Dis

able

Tim

e

Inte

rval

ivad

min

_con

text

_get

dom

ain

id()

PD

Con

text

obje

ct.g

etD

omai

nid

pdad

min

cont

ext

show

Not

supp

orte

d.

Appendix

D.

Administration

API

equivalents

67

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_con

text

_get

max

lgn

fail

s()

PD

Pol

icy

obje

ct.g

etM

axFa

iled

Log

ins

pdad

min

poli

cy

get

max-

logi

n-fa

ilur

es

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Max

Log

in

Fail

ure

s

ivad

min

_con

text

_get

max

pw

dag

e()

PD

Pol

icy

obje

ct.g

etM

axP

wd

Age

pdad

min

poli

cy

get

max-

pass

word

-age

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Max

Pas

swor

d

Age

ivad

min

_con

text

_get

max

pw

dre

pch

ars(

)

PD

Pol

icy

obje

ct.g

etM

axP

wd

Rep

Ch

ars

pdad

min

poli

cy

get

max-

pass

word

-rep

eate

d-ch

ars

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Max

Pas

swor

d

Rep

eate

d

Ch

arac

ters

ivad

min

_con

text

_get

mgm

tdom

ain

id()

PD

Dom

ain

.get

Mgm

tDom

ain

Nam

e

pdad

min

logi

n

—m

Init

ial

logi

n.

ivad

min

_con

text

_get

mgm

tsvr

hos

t()

Not

supp

orte

d

at

this

tim

e.

Not

supp

orte

d

at

this

tim

e.

ivad

min

_con

text

_get

mgm

tsvr

por

t()

Not

supp

orte

d

at

this

tim

e.

Not

supp

orte

d

at

this

tim

e.

ivad

min

_con

text

_get

min

pw

dal

ph

as()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Alp

has

pdad

min

poli

cy

get

min-

pass

word

-alp

has

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Min

imu

m

Pas

swor

d

Alp

has

ivad

min

_con

text

_get

min

pw

dle

n()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Len

pdad

min

poli

cy

get

min-

pass

word

-len

gth

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Min

imu

m

Pas

swor

d

Len

gth

ivad

min

_con

text

_get

min

pw

dn

onal

ph

as()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Non

Alp

has

pdad

min

poli

cy

get

min-

pass

word

-non

-alp

has

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Min

imu

m

Pas

swor

d

Non

-Alp

has

ivad

min

_con

text

_get

pw

dsp

aces

()

PD

Pol

icy

obje

ct.p

wd

Sp

aces

All

owed

pdad

min

poli

cy

get

pass

word

-spa

ces

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Pas

swor

d

Sp

aces

All

owed

ivad

min

_con

text

_get

tod

acce

ss()

PD

Pol

icy

obje

ct.g

etA

cces

sib

leD

ays

PD

Pol

icy

obje

ct.g

etA

cces

sSta

rtT

ime

PD

Pol

icy

obje

ct.g

etA

cces

sEn

dT

ime

PD

Pol

icy

obje

ct.g

etA

cces

sTim

ezon

e

pdad

min

poli

cy

get

tod-

acce

ss

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Tim

e

of

Day

Acc

ess

ivad

min

_con

text

_get

use

rid

()

PD

Con

text

obje

ct.g

etU

seri

d

pdad

min

cont

ext

show

Not

supp

orte

d.

ivad

min

_con

text

_get

use

rreg

()

PD

Use

r.get

Use

rRgy

pdad

min

admi

n

show

conf

igur

atio

n

Not

supp

orte

d.

ivad

min

_con

text

_has

del

cred

()

PD

Con

text

obje

ct.h

asD

eleg

ated

Cre

d

Not

appl

icab

le.

Not

appl

icab

le.

68

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_con

text

_set

acce

xpd

ate(

)

PD

Pol

icy.

setA

cctE

xpD

ate

PD

Pol

icy

obje

ct.s

etA

cctE

xpD

ate

pdad

min

poli

cy

set

acco

unt-

expi

ry-d

ate

[unl

imit

ed

|

abso

lute

_tim

e

|

unse

t]

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Acc

oun

t

Exp

irat

ion

Dat

e

Ap

ply

ivad

min

_con

text

_set

del

cred

()

PD

Con

text

obje

ct.s

etD

eleg

ated

Cre

d

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_con

text

_set

dis

able

tim

ein

t()

PD

Pol

icy.

setA

cctD

isab

leT

ime

PD

Pol

icy

obje

ct.s

etA

cctD

isab

leT

ime

pdad

min

poli

cy

set

disa

ble-

time

-int

erva

l

[num

ber

|

unse

t

|

disa

ble]

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Sh

ow

Glo

bal

Use

r

Pol

icy

Ap

ply

ivad

min

_con

text

_set

max

lgn

fail

s()

PD

Pol

icy.

setM

axFa

iled

Log

ins

PD

Pol

icy

obje

ct.s

etM

axFa

iled

Log

ins

pdad

min

poli

cy

set

max-

logi

n-fa

ilur

es

[num

ber

|

unse

t]

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Max

Log

in

Fail

ure

s

Ap

ply

ivad

min

_con

text

_set

max

pw

dag

e()

PD

Pol

icy.

setM

axP

wd

Age

PD

Pol

icy

obje

ct.s

etM

axP

wd

Age

pdad

min

poli

cy

set

max-

pass

word

-age

[rel

ativ

e_ti

me

|

unse

t]

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Max

Pas

swor

d

Age

Ap

ply

ivad

min

_con

text

_set

max

pw

dre

pch

ars(

)

PD

Pol

icy.

setM

axP

wd

Rep

Ch

ars

PD

Pol

icy

obje

ct.s

etM

axP

wd

Rep

Ch

ars

pdad

min

poli

cy

set

max-

pass

word

-rep

eate

d-ch

ars

[num

ber

|

unse

t]

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Max

Pas

swor

d

Rep

eate

d

Ch

arac

ters

Ap

ply

ivad

min

_con

text

_set

min

pw

dal

ph

as()

PD

Pol

icy.

setM

inP

wd

Alp

has

PD

Pol

icy

obje

ct.s

etM

inP

wd

Alp

has

pdad

min

poli

cy

set

min-

pass

word

-alp

has

[num

ber

|

unse

t]

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Min

imu

m

Pas

swor

d

Alp

has

Ap

ply

ivad

min

_con

text

_set

min

pw

dle

n()

PD

Pol

icy.

setM

inP

wd

Len

PD

Pol

icy

obje

ct.s

etM

inP

wd

Len

pdad

min

poli

cy

set

min-

pass

word

-len

gth

[num

ber

|

unse

t]

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Min

imu

m

Pas

swor

d

Len

gth

Ap

ply

ivad

min

_con

text

_set

min

pw

dn

onal

ph

as()

PD

Pol

icy.

setM

inP

wd

Non

Alp

has

PD

Pol

icy

obje

ct.s

etM

inP

wd

Non

Alp

has

pdad

min

poli

cy

set

max-

pass

word

-non

-alp

has

[num

ber

|

unse

t]

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Min

imu

m

Pas

swor

d

Non

-Alp

has

Ap

ply

ivad

min

_con

text

_set

pw

dsp

aces

()

PD

Pol

icy.

setP

wd

Sp

aces

All

owed

PD

Pol

icy

obje

ct.s

etP

wd

Sp

aces

All

owed

pdad

min

poli

cy

set

pass

word

-spa

ces

[yes

|

no

|

unse

t]

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Pas

swor

d

Sp

aces

All

owed

Ap

ply

ivad

min

_con

text

_set

tod

acce

ss()

PD

Pol

icy.

setT

odA

cces

s

PD

Pol

icy

obje

ct.s

etTo

dA

cces

s

pdad

min

poli

cy

set

tod-

acce

ss

toda

cces

s_va

lue

Use

r

Sh

ow

Glo

bal

Use

r

Pol

icy

Tim

e

of

Day

Acc

ess

Ap

ply

Appendix

D.

Administration

API

equivalents

69

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_dom

ain

_cre

ate(

)

PD

Dom

ain

.cre

ateD

omai

n

pdad

min

doma

in

crea

te

doma

in_n

ame

doma

in_a

dmin

doma

in_a

dmin

_pwd

[

—des

c

desc

ript

ion

]

Sec

ure

Dom

ain

Cre

ate

Sec

ure

Dom

ain

ivad

min

_dom

ain

_del

ete(

)

PD

Dom

ain

.del

eteD

omai

n

pdad

min

doma

in

dele

te

doma

in_n

ame

Sec

ure

Dom

ain

Lis

t

Sec

ure

Dom

ain

sele

ct

Secu

re

Dom

ain

nam

es

Del

ete

ivad

min

_dom

ain

_get

()

PD

Dom

ain

cons

truc

tor

pdad

min

doma

in

show

doma

in_n

ame

Sec

ure

Dom

ain

Lis

t

Sec

ure

Dom

ain

clic

k

Secu

re

Dom

ain

nam

e

ivad

min

_dom

ain

_get

des

crip

tion

()

PD

Dom

ain

obje

ct.g

etD

escr

ipti

on

pdad

min

doma

in

show

doma

in_n

ame

Sec

ure

Dom

ain

Lis

t

Sec

ure

Dom

ain

clic

k

Secu

re

Dom

ain

nam

e

ivad

min

_dom

ain

_get

id()

PD

Dom

ain

obje

ct.g

etId

pdad

min

doma

in

show

doma

in_n

ame

Sec

ure

Dom

ain

Lis

t

Sec

ure

Dom

ain

clic

k

Secu

re

Dom

ain

nam

e

ivad

min

_dom

ain

_lis

t()

PD

Dom

ain

.list

Dom

ain

s

pdad

min

doma

in

list

Sec

ure

Dom

ain

Lis

t

Sec

ure

Dom

ain

ivad

min

_dom

ain

_set

des

crip

tion

()

PD

Dom

ain

.set

Des

crip

tion

PD

Dom

ain

obje

ct.s

etD

escr

ipti

on

pdad

min

doma

in

modi

fy

doma

in_n

ame

desc

ript

ion

desc

ript

ion

Sec

ure

Dom

ain

Lis

t

Sec

ure

Dom

ain

clic

k

Secu

re

Dom

ain

nam

e

mod

ify

des

crip

tion

Ap

ply

ivad

min

_fre

e()

Not

appl

icab

le.

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_gro

up

_ad

dm

emb

ers(

)

PD

Gro

up

.ad

dM

emb

ers

PD

Gro

up

obje

ct.a

dd

Mem

ber

s

pdad

min

grou

p

modi

fy

grou

p_na

me

add

(use

r_na

me1

user

_nam

e2

...)

Gro

up

Sea

rch

Gro

up

s

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

grou

p

nam

e

Mem

ber

s

tab

Ad

d

ivad

min

_gro

up

_cre

ate2

()

PD

Gro

up

.cre

ateG

rou

p

pdad

min

grou

p

crea

te

grou

p_na

me

dn

cn

Gro

up

Cre

ate

Gro

up

ivad

min

_gro

up

_del

ete2

()

PD

Gro

up

.del

eteG

rou

p

pdad

min

grou

p

dele

te

[-re

gist

ry]

grou

p_na

me

Gro

up

Sea

rch

Gro

up

s

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

sele

ct

grou

p

nam

es

Del

ete

70

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_gro

up

_get

()

PD

Gro

up

cons

truc

tor

pdad

min

grou

p

show

grou

p_na

me

Gro

up

Sea

rch

Gro

up

s

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

grou

p

nam

e

ivad

min

_gro

up

_get

byd

n()

PD

Gro

up

cons

truc

tor

pdad

min

grou

p

show

-dn

dn

Not

supp

orte

d.

ivad

min

_gro

up

_get

cn()

Will

not

be

supp

orte

d.

pdad

min

grou

p

show

grou

p_na

me

Gro

up

Sea

rch

Gro

up

s

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

grou

p

nam

e

ivad

min

_gro

up

_get

des

crip

tion

()

PD

Gro

up

obje

ct.g

etD

escr

ipti

on

pdad

min

grou

p

show

grou

p_na

me

Gro

up

Sea

rch

Gro

up

s

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

grou

p

nam

e

ivad

min

_gro

up

_get

dn

()

PD

Gro

up

obje

ct.g

etR

gyN

ame

pdad

min

grou

p

show

grou

p_na

me

Gro

up

Sea

rch

Gro

up

s

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

grou

p

nam

e

ivad

min

_gro

up

_get

id()

PD

Gro

up

obje

ct.g

etId

pdad

min

grou

p

show

grou

p_na

me

Gro

up

Sea

rch

Gro

up

s

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

grou

p

nam

e

ivad

min

_gro

up

_get

mem

ber

s()

PD

Gro

up

obje

ct.g

etM

emb

ers

pdad

min

grou

p

show

-mem

bers

grou

p_na

me

Gro

up

Sea

rch

Gro

up

s

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

grou

p

nam

e

Mem

ber

s

tab

ivad

min

_gro

up

_im

por

t2()

PD

Gro

up

.imp

ortG

rou

p

pdad

min

grou

p

impo

rt

grou

p_na

me

dn

Gro

up

Imp

ort

Gro

up

ivad

min

_gro

up

_lis

t()

PD

Gro

up

.list

Gro

up

s

pdad

min

grou

p

list

patt

ern

max_

retu

rn

Gro

up

Sea

rch

Gro

up

s

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

ivad

min

_gro

up

_lis

tbyd

n()

PD

Gro

up

.list

Gro

up

s

pdad

min

grou

p

list

-dn

patt

ern

max_

retu

rn

Not

supp

orte

d.

Appendix

D.

Administration

API

equivalents

71

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_gro

up

_rem

ovem

emb

ers(

)

PD

Gro

up

.rem

oveM

emb

ers

PD

Gro

up

obje

ct.r

emov

eMem

ber

s

pdad

min

grou

p

modi

fy

grou

p_na

me

remo

ve

(use

r_na

me1

user

_nam

e2

...)

Gro

up

Sea

rch

Gro

up

s

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

grou

p

nam

e

Mem

ber

s

tab

sele

ct

user

nam

es

Rem

ove

ivad

min

_gro

up

_set

des

crip

tion

()

PD

Gro

up

.set

Des

crip

tion

PD

Gro

up

obje

ct.s

etD

escr

ipti

on

pdad

min

grou

p

modi

fy

grou

p_na

me

desc

ript

ion

desc

ript

ion

Gro

up

Sea

rch

Gro

up

s

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

grou

p

nam

e

ente

r

Des

crip

tion

Ap

ply

ivad

min

_ob

ject

spac

e_cr

eate

()

PD

Pro

tOb

ject

Sp

ace.

crea

teP

rotO

bje

ctS

pac

e

pdad

min

obje

ctsp

ace

crea

te

obje

ctsp

ace_

name

Ob

ject

Sp

ace

Cre

ate

Ob

ject

Sp

ace

ivad

min

_ob

ject

spac

e_d

elet

e()

PD

Pro

tOb

ject

Sp

ace.

del

eteP

rotO

bje

ctS

pac

e

pdad

min

obje

ctsp

ace

dele

te

obje

ctsp

ace_

name

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

clic

k

obje

ct

spac

e

nam

e

Del

ete

ivad

min

_ob

ject

spac

e_li

st()

PD

Pro

tOb

ject

Sp

ace.

list

Pro

tOb

ject

Sp

aces

pdad

min

obje

ctsp

ace

list

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

ivad

min

_pop

_att

ach

()

PD

Pro

tOb

ject

.att

ach

Pop

PD

Pro

tObj

ect

obje

ct.a

ttac

hP

op

pdad

min

pop

atta

ch

obje

ct_n

ame

pop_

name

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Att

ach

tab

Att

ach

ivad

min

_pop

_att

rdel

key

()

PD

Pop

.del

eteA

ttri

bu

te

PD

Pop

obje

ct.d

elet

eAtt

rib

ute

pdad

min

pop

modi

fy

pop_

name

dele

te

attr

ibut

e

attr

ibut

e_na

me

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Ext

end

ed

Att

rib

ute

s

tab

sele

ct

attr

ibut

es

Del

ete

ivad

min

_pop

_att

rdel

val(

)

PD

Pop

.del

eteA

ttri

bu

teV

alu

e

PD

Pop

obje

ct.d

elet

eAtt

rib

ute

Val

ue

pdad

min

pop

modi

fy

pop_

name

dele

te

attr

ibut

e

attr

ibut

e_na

me

attr

ibut

e_va

lue

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Ext

end

ed

Att

rib

ute

s

tab

sele

ct

attr

ibut

es

Del

ete

ivad

min

_pop

_att

rget

()

PD

Pop

obje

ct.g

etA

ttri

bu

teV

alu

es

pdad

min

pop

show

pop_

name

attr

ibut

e

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Ext

end

ed

Att

rib

ute

s

tab

ivad

min

_pop

_att

rlis

t()

PD

Pop

obje

ct.g

etA

ttri

bu

teN

ames

pdad

min

pop

list

pop_

name

attr

ibut

e

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Ext

end

ed

Att

rib

ute

s

tab

72

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_pop

_att

rpu

t()

PD

Pop

.set

Att

rib

ute

Val

ue

PD

Pop

obje

ct.s

etA

ttri

bu

teV

alu

e

pdad

min

pop

modi

fy

pop_

name

set

attr

ibut

e

attr

ibut

e_na

me

attr

ibut

e_va

lue

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Ext

end

ed

Att

rib

ute

s

tab

Cre

ate

ivad

min

_pop

_cre

ate(

)

PD

Pop

.cre

ateP

op

pdad

min

pop

crea

te

pop_

name

PO

P

Cre

ate

PO

P

ivad

min

_pop

_del

ete(

)

PD

Pop

.del

eteP

op

pdad

min

pop

dele

te

pop_

name

PO

P

Lis

t

PO

P

sele

ct

POP

nam

es

Del

ete

ivad

min

_pop

_det

ach

()

PD

Pro

tOb

ject

.det

ach

Pop

PD

Pro

tObj

ect

obje

ct.a

ttac

hP

op

pdad

min

pop

deta

ch

obje

ct_n

ame

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Att

ach

tab

sele

ct

obje

ct

Det

ach

ivad

min

_pop

_fin

d()

PD

Pro

tOb

ject

.list

Pro

tOb

ject

sByP

op

pdad

min

pop

find

pop_

name

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Att

ach

tab

ivad

min

_pop

_get

()

PD

Pop

cons

truc

tor

pdad

min

pop

show

pop_

name

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

ivad

min

_pop

_get

aud

itle

vel(

)

PD

Pop

obje

ct.g

etA

ud

itL

evel

pdad

min

pop

show

pop_

name

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

ivad

min

_pop

_get

des

crip

tion

()

PD

Pop

obje

ct.g

etD

escr

ipti

on

pdad

min

pop

show

pop_

name

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

ivad

min

_pop

_get

id()

PD

Pop

obje

ct.g

etId

pdad

min

pop

show

pop_

name

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

ivad

min

_pop

_get

qop

()

PD

Pop

obje

ct.g

etQ

OP

pdad

min

pop

show

pop_

name

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

ivad

min

_pop

_get

tod

()

PD

Pop

obje

ct.g

etTo

dA

cces

sIn

fo

pdad

min

pop

show

pop_

name

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

ivad

min

_pop

_get

war

nm

ode(

)

PD

Pop

obje

ct.g

etW

arn

ingM

ode

pdad

min

pop

show

pop_

name

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

ivad

min

_pop

_lis

t()

PD

Pop

.list

Pop

s

pdad

min

pop

list

PO

P

Lis

t

PO

P

ivad

min

_pop

_rem

ovei

pau

th()

PD

Pop

.rem

oveI

PAu

thIn

fo

PD

Pop

obje

ct.r

emov

eIPA

uth

Info

pdad

min

pop

modi

fy

pop_

name

set

ipau

th

remo

ve

netw

ork

netm

ask

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

IP

Au

th

tab

sele

ct

IP

auth

entr

ies

Del

ete

Appendix

D.

Administration

API

equivalents

73

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_pop

_set

anyo

ther

nw

()

PD

Pop

.set

uth

Info

pdad

min

pop

modi

fy

pop_

name

set

ipau

th

anyo

ther

nw

auth

enti

cati

on_l

evel

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

IP

Au

th

tab

Cre

ate

sele

ct

An

y

Oth

er

Net

wor

k

chec

k

box,

ente

r

the

auth

enti

cati

on

leve

l

Cre

ate

ivad

min

_pop

_set

anyo

ther

nw

_for

bid

den

()

PD

Pop

.set

IPA

uth

Info

pdad

min

pop

modi

fy

pop_

name

set

ipau

th

anyo

ther

nw

forb

idde

n

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

IP

Au

th

tab

Cre

ate

sele

ct

An

y

Oth

er

Net

wor

k

chec

k

box,

sele

ct

Forb

idd

en

chec

k

box

Cre

ate

ivad

min

_pop

_set

aud

itle

vel(

)

PD

Pop

.set

Au

dit

Lev

el

PD

Pop

obje

ct.s

etA

ud

itL

evel

pdad

min

pop

modi

fy

pop_

name

set

audi

t-le

vel

[all

|

none

|

audi

t_le

vel_

list

]

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Gen

eral

tab

sele

ct

Au

dit

Lev

el

chec

k

box

Ap

ply

ivad

min

_pop

_set

des

crip

tion

()

PD

Pop

.set

Des

crip

tion

PD

Pop

obje

ct.s

etD

escr

ipti

on

pdad

min

pop

modi

fy

pop_

name

set

desc

ript

ion

desc

ript

ion

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Gen

eral

tab

Ap

ply

ivad

min

_pop

_set

ipau

th()

PD

Pop

.set

IPA

uth

Info

PD

Pop

obje

ct.s

etIP

Au

thIn

fo

pdad

min

pop

modi

fy

pop_

name

set

ipau

th

add

netw

ork

netm

ask

auth

enti

cati

on_l

evel

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

IP

Au

th

tab

Cre

ate

ente

r

the

netw

ork,

net

mas

k,

and

auth

enti

cati

on

leve

l

Ap

ply

ivad

min

_pop

_set

ipau

th_f

orb

idd

en()

PD

Pop

.set

IPA

uth

Info

PD

Pop

obje

ct.s

etIP

Au

thIn

fo

pdad

min

pop

modi

fy

pop_

name

set

ipau

th

add

netw

ork

netm

ask

forb

idde

n

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

IP

Au

th

tab

Cre

ate

ente

r

the

netw

ork

and

net

mas

k,

sele

ct

Forb

idd

en

chec

k

box

Ap

ply

ivad

min

_pop

_set

qop

()

PD

Pop

.set

QO

P

PD

Pop

obje

ct.s

etQ

OP

pdad

min

pop

modi

fy

pop_

name

set

qop

[non

e

|

inte

grit

y

|

priv

acy]

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Gen

eral

tab

Ap

ply

ivad

min

_pop

_set

tod

()

PD

Pop

.set

Tod

Acc

essI

nfo

PD

Pop

obje

ct.s

etTo

dA

cces

sIn

fo

.

pdad

min

pop

modi

fy

pop_

name

set

tod-

acce

ss

tod_

valu

e

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Gen

eral

tab

Ap

ply

74

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_pop

_set

war

nm

ode(

)

PD

Pop

.set

War

nin

gMod

e

PD

Pop

obje

ct.s

etW

arn

ingM

ode

pdad

min

pop

modi

fy

pop_

name

set

warn

ing

[

on

|

off

]

PO

P

Lis

t

PO

P

clic

k

POP

nam

e

Gen

eral

tab

Ap

ply

ivad

min

_pro

tob

j_ac

cess

()

PD

Pro

tOb

ject

.acc

ess

pdad

min

obje

ct

acce

ss

obje

ct_n

ame

Not

supp

orte

d.

ivad

min

_pro

tob

j_at

tach

acl(

)

PD

Pro

tOb

ject

.att

ach

Acl

PD

Pro

tObj

ect

obje

ct.a

ttac

hA

cl

pdad

min

acl

atta

ch

obje

ct_n

ame

acl_

name

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

Att

ach

tab

Att

ach

ivad

min

_pro

tob

j_at

tach

auth

zru

le()

PD

Pro

tOb

ject

.att

ach

Au

thzR

ule

PD

Pro

tObj

ect

obje

ct.a

ttac

hA

uth

zRu

le

pdad

min

auth

zrul

e

atta

ch

obje

ct_n

ame

rule

_nam

e

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

Att

ach

tab

Att

ach

ivad

min

_pro

tob

j_at

trd

elk

ey()

PD

Pro

tOb

ject

.del

eteA

ttri

bu

te

PD

Pro

tObj

ect

obje

ct.d

elet

eAtt

rib

ute

pdad

min

obje

ct

modi

fy

obje

ct_n

ame

dele

te

attr

ibut

e_na

me

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Ext

end

ed

Att

rib

ute

s

tab

sele

ct

attr

ibut

e

Del

ete

ivad

min

_pro

tob

j_at

trd

elva

l()

PD

Pro

tOb

ject

.del

eteA

ttri

bu

teV

alu

e

PD

Pro

tObj

ect

obje

ct.d

elet

eAtt

rib

ute

Val

ue

pdad

min

obje

ct

modi

fy

obje

ct_n

ame

dele

te

attr

ibut

e_na

me

attr

ibut

e_va

lue

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Ext

end

ed

Att

rib

ute

s

tab

sele

ct

attr

ibut

e

Del

ete

ivad

min

_pro

tob

j_at

trge

t()

PD

Pro

tObj

ect

obje

ct.g

etA

ttri

bu

teV

alu

es

pdad

min

obje

ct

show

obje

ct_n

ame

attr

ibut

e

attr

ibut

e_na

me

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Ext

end

ed

Att

rib

ute

s

tab

ivad

min

_pro

tob

j_at

trli

st()

PD

Pro

tObj

ect

obje

ct.g

etA

ttri

bu

teN

ames

pdad

min

obje

ct

list

obje

ct_n

ame

attr

ibut

e

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Ext

end

ed

Att

rib

ute

s

tab

ivad

min

_pro

tob

j_at

trp

ut(

)

PD

Pro

tOb

ject

.set

Att

rib

ute

Val

ue

PD

Pro

tObj

ect

obje

ct.s

etA

ttri

bu

teV

alu

e

pdad

min

obje

ct

modi

fy

obje

ct_n

ame

set

attr

ibut

e

attr

ibut

e_na

me

attr

ibut

e_va

lue

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Ext

end

ed

Att

rib

ute

s

tab

Cre

ate

Appendix

D.

Administration

API

equivalents

75

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_pro

tob

j_cr

eate

()

PD

Pro

tOb

ject

.cre

ateP

rotO

bje

ct

pdad

min

obje

ct

crea

te

obje

ct_n

ame

Ob

ject

Sp

ace

Cre

ate

Ob

ject

Sele

ct

the

Can

Pol

icy

be

atta

ched

to

this

obje

ct

chec

k

box

on

the

Prot

ecte

d

Obj

ect

Prop

erti

es

win

dow

.

Not

e:

The

typ

e

fiel

d

is

not

supp

orte

d.

ivad

min

_pro

tob

j_d

elet

e()

PD

Pro

tOb

ject

.del

eteP

rotO

bje

ct

pdad

min

obje

ct

dele

te

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

Del

ete

ivad

min

_pro

tob

j_d

etac

hac

l()

PD

Pro

tOb

ject

.det

ach

Acl

PD

Pro

tObj

ect

obje

ct.d

etac

hA

cl

pdad

min

acl

deta

ch

obje

ct_n

ame

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

Att

ach

tab

sele

ct

obje

ct

nam

es

Det

ach

ivad

min

_pro

tob

j_d

etac

hau

thzr

ule

()

PD

Pro

tOb

ject

.det

ach

Au

thzR

ule

PD

Pro

tObj

ect

obje

ct.d

etac

hA

uth

zRu

le

pdad

min

auth

zrul

e

deta

ch

obje

ct_n

ame

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

Att

ach

tab

sele

ct

obje

ct

nam

es

Det

ach

ivad

min

_pro

tob

j_ex

ists

()

PD

Pro

tOb

ject

.exi

sts

pdad

min

obje

ct

exis

ts

obje

ct_n

ame

Not

supp

orte

d.

ivad

min

_pro

tob

j_ge

t3()

PD

Pro

tOb

ject

cons

truc

tor

pdad

min

obje

ct

show

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

ivad

min

_pro

tob

j_ge

tacl

id()

PD

Pro

tObj

ect

obje

ct.g

etA

cl

pdad

min

obje

ct

show

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

ivad

min

_pro

tob

j_ge

tau

thzr

ule

id()

PD

Pro

tObj

ect

obje

ct.g

etA

uth

zRu

le

pdad

min

obje

ct

show

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

76

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_pro

tob

j_ge

tdes

c()

PD

Pro

tObj

ect

obje

ct.g

etD

escr

ipti

on

pdad

min

obje

ct

show

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

ivad

min

_pro

tob

j_ge

teff

acli

d()

PD

Pro

tObj

ect

obje

ct.g

etE

ffec

tuve

Acl

Id

pdad

min

obje

ct

show

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

ivad

min

_pro

tob

j_ge

teff

auth

zru

leid

()

PD

Pro

tObj

ect

obje

ct.g

etE

ffec

tuve

Au

thzR

ule

Id

pdad

min

obje

ct

show

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

ivad

min

_pro

tob

j_ge

teff

pop

id()

PD

Pro

tObj

ect

obje

ct.g

etE

ffec

tuve

Pop

Id

pdad

min

obje

ct

show

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

ivad

min

_pro

tob

j_ge

tid

()

PD

Pro

tObj

ect

obje

ct.g

etId

pdad

min

obje

ct

show

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

ivad

min

_pro

tob

j_ge

tpol

icya

ttac

hab

le()

PD

Pro

tObj

ect

obje

ct.is

Pol

icyA

ttac

hab

le

pdad

min

obje

ct

show

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

ivad

min

_pro

tob

j_ge

tpop

id()

PD

Pro

tObj

ect

obje

ct.g

etP

opId

pdad

min

obje

ct

show

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

ivad

min

_pro

tob

j_ge

ttyp

e()

Will

not

be

supp

orte

d.

pdad

min

obje

ct

show

obje

ct_n

ame

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

ivad

min

_pro

tob

j_li

st3(

)

PD

Pro

tOb

ject

.list

Pro

tOb

ject

s

pdad

min

obje

ct

list

dire

ctor

y_na

me

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Appendix

D.

Administration

API

equivalents

77

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_pro

tob

j_li

stb

yacl

()

PD

Pro

tOb

ject

.list

Pro

tOb

ject

sByA

cl

pdad

min

acl

find

acl_

name

AC

L

Lis

t

AC

L

clic

k

AC

L

nam

e

Att

ach

tab

ivad

min

_pro

tob

j_li

stb

yau

thzr

ule

()

PD

Pro

tOb

ject

.list

Pro

tOb

ject

sByA

uth

zRu

le

pdad

min

auth

zrul

e

find

rule

_nam

e

Au

thzR

ule

Lis

t

Au

thzR

ule

clic

k

Aut

hzR

ule

nam

e

Att

ach

tab

ivad

min

_pro

tob

j_m

ult

iacc

ess(

)

PD

Pro

tOb

ject

.mu

ltiA

cces

s

pdad

min

obje

ct

acce

ss

obje

ct_n

ame

Not

supp

orte

d.

ivad

min

_pro

tob

j_se

tdes

c()

PD

Pro

tOb

ject

.set

Des

crip

tion

PD

Pro

tObj

ect

obje

ct.s

etD

escr

ipti

on

pdad

min

obje

ct

modi

fy

obje

ct_n

ame

desc

ript

ion

desc

ript

ion

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

Ap

ply

ivad

min

_pro

tob

j_se

tnam

e()

Will

not

be

supp

orte

d.

pdad

min

obje

ct

modi

fy

obje

ct_n

ame

name

name

conf

lict

_res

olut

ion

reso

luti

on_m

odif

ier

Not

supp

orte

d.

ivad

min

_pro

tob

j_se

tpol

icya

ttac

hab

le()

PD

Pro

tOb

ject

.set

Pol

icyA

ttac

hab

le

PD

Pro

tObj

ect

obje

ct.s

etP

olic

yAtt

ach

able

pdad

min

obje

ct

modi

fy

obje

ct_n

ame

isPo

licy

Atta

chab

le

[yes

|

no]

Ob

ject

Sp

ace

Bro

wse

Ob

ject

Sp

ace

expa

nd

and

clic

k

on

obje

ct

nam

e

Gen

eral

tab

Ap

ply

ivad

min

_pro

tob

j_se

ttyp

e()

Will

not

be

supp

orte

d.

pdad

min

obje

ct

modi

fy

obje

ct_n

ame

type

type

Not

supp

orte

d.

ivad

min

_res

pon

se_g

etco

de(

)

Not

appl

icab

le.

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_res

pon

se_g

etco

un

t()

Not

appl

icab

le.

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_res

pon

se_g

etm

essa

ge()

Not

appl

icab

le.

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_res

pon

se_g

etm

odif

ier(

)

Not

appl

icab

le.

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_res

pon

se_g

etok

()

Not

appl

icab

le.

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_ser

ver_

gett

ask

list

()

PD

Ser

ver.g

etTa

skL

ist

pdad

min

serv

er

list

task

s

serv

er_n

ame

Not

supp

orte

d.

ivad

min

_ser

ver_

per

form

task

()

PD

Ser

ver.p

erfo

rmTa

sk

pdad

min

serv

er

task

serv

er_n

ame

task

_to_

perf

orm

Not

supp

orte

d.

ivad

min

_ser

ver_

rep

lica

te()

PD

Ser

ver.s

erve

rRep

lica

te

pdad

min

serv

er

repl

icat

e

serv

er_n

ame

Not

supp

orte

d.

78

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_sso

cred

_cre

ate(

)

PD

SS

OC

red

.cre

ateS

SO

Cre

d

pdad

min

rsrc

cred

crea

te

reso

urce

_nam

e

rsrc

user

reso

urce

_use

rid

rsrc

pwd

reso

urce

_pwd

rsrc

type

[web

|

grou

p]

user

user

_nam

e

Use

r

Sea

rch

Use

rs

Sea

rch

clic

k

user

nam

e

clic

k

GS

O

Cre

den

tial

s

tab

clic

k

Cre

ate

ivad

min

_sso

cred

_del

ete(

)

PD

SS

OC

red

.del

eteS

SO

Cre

d

pdad

min

rsrc

cred

dele

te

reso

urce

_nam

e

rsrc

type

[web

|

grou

p]

user

user

_nam

e

Use

r

Sea

rch

Use

rs

Sea

rch

clic

k

user

nam

e

clic

k

GS

O

Cre

den

tial

s

tab

sele

ct

GSO

Cre

den

tial

s

Del

ete

ivad

min

_sso

cred

_get

()

PD

SS

OC

red

cons

truc

tor

pdad

min

rsrc

cred

show

reso

urce

_nam

e

rsrc

type

[web

|

grou

p]

user

user

_nam

e

Use

r

Sea

rch

Gro

up

s

Sea

rch

clic

k

user

nam

e

clic

k

GS

O

Cre

den

tial

s

tab

ivad

min

_sso

cred

_get

id()

PD

SSO

Cre

d

obje

ct.g

etR

esou

rceN

ame

pdad

min

rsrc

cred

show

reso

urce

_nam

e

rsrc

type

[web

|

grou

p]

user

user

_nam

e

Use

r

Sea

rch

Gro

up

s

Sea

rch

clic

k

user

nam

e

clic

k

GS

O

Cre

den

tial

s

tab

ivad

min

_sso

cred

_get

ssop

assw

ord

()

PD

SSO

Cre

d

obje

ct.g

etR

esou

rceP

assw

ord

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_sso

cred

_get

ssou

ser(

)

PD

SSO

Cre

d

obje

ct.g

etR

esou

rceU

ser

Not

appl

icab

le.

Not

appl

icab

le.

ivad

min

_sso

cred

_get

typ

e()

PD

SSO

Cre

d

obje

ct.g

etR

esou

rceT

ype

pdad

min

rsrc

cred

show

reso

urce

_nam

e

rsrc

type

[web

|

grou

p]

user

user

_nam

e

Use

r

Sea

rch

Gro

up

s

Sea

rch

clic

k

user

nam

e

clic

k

GS

O

Cre

den

tial

s

tab

ivad

min

_sso

cred

_get

use

r()

PD

SSO

Cre

d

obje

ct.g

etU

ser

pdad

min

rsrc

cred

show

reso

urce

_nam

e

rsrc

type

[web

|

grou

p]

user

user

_nam

e

Use

r

Sea

rch

Gro

up

s

Sea

rch

clic

k

user

nam

e

clic

k

GS

O

Cre

den

tial

s

tab

ivad

min

_sso

cred

_lis

t()

PD

SSO

Cre

d

obje

ct.li

stA

nd

Sh

owS

SO

Cre

ds

PD

SSO

Cre

d

obje

ct.li

stS

SO

Cre

ds

pdad

min

rsrc

cred

list

user

user

_nam

e

Use

r

Sea

rch

Use

rs

Sea

rch

clic

k

user

nam

e

clic

k

GS

O

Cre

den

tial

s

tab

Appendix

D.

Administration

API

equivalents

79

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_sso

cred

_set

()

PD

SS

OC

red

.set

SS

OC

red

PD

SSO

Cre

d

obje

ct.s

etS

SO

Cre

d.

pdad

min

rsrc

cred

modi

fy

reso

urce

_nam

e

rsrc

type

[web

|

grou

p]

[-rs

rcus

er

reso

urce

_use

rid]

[-rs

rcpw

d

reso

urce

_pwd

]

user

user

_nam

e

Use

r

Sea

rch

Use

rs

Sea

rch

clic

k

user

nam

e

clic

k

GS

O

Cre

den

tial

s

tab

clic

k

Cre

ate

ivad

min

_sso

grou

p_a

dd

res(

)

PD

SS

OR

esou

rceG

rou

p.a

dd

SS

OR

esou

rce

PD

SSO

Res

ourc

eGro

up

obje

ctad

dS

SO

Res

ourc

e

pdad

min

rsrc

grou

p

modi

fy

reso

urce

_gro

up_n

ame

add

rsrc

name

reso

urce

_nam

e

GS

O

Res

ourc

e

Lis

t

GS

O

Gro

up

s

clic

k

GSO

reso

urce

grou

p

Ad

d

ivad

min

_sso

grou

p_c

reat

e()

PD

SS

OR

esou

rceG

rou

p.c

reat

eSS

OR

esou

rceG

rou

p

pdad

min

rsrc

grou

p

crea

te

reso

urce

_gro

up_n

ame

[-de

sc

desc

ript

ion]

GS

O

Res

ourc

e

Cre

ate

GS

O

Gro

up

ivad

min

_sso

grou

p_d

elet

e()

PD

SS

OR

esou

rceG

rou

p.d

elet

eSS

OR

esou

rceG

rou

p

pdad

min

rsrc

grou

p

dele

te

reso

urce

_gro

up_n

ame

GS

O

Res

ourc

e

Lis

t

GS

O

Gro

up

s

sele

ct

GSO

reso

urce

grou

ps

Del

ete

ivad

min

_sso

grou

p_g

et()

PD

SS

OR

esou

rceG

rou

p

cons

truc

tor

pdad

min

rsrc

grou

p

show

reso

urce

_gro

up_n

ame

GS

O

Res

ourc

e

Lis

t

GS

O

Gro

up

s

clic

k

GSO

reso

urce

grou

p

ivad

min

_sso

grou

p_g

etd

escr

ipti

on()

PD

SSO

Res

ourc

eGro

up

obje

ct.g

etD

escr

ipti

on

pdad

min

rsrc

grou

p

show

reso

urce

_gro

up_n

ame

GS

O

Res

ourc

e

Lis

t

GS

O

Gro

up

s

clic

k

GSO

reso

urce

grou

p

ivad

min

_sso

grou

p_g

etid

()

PD

SSO

Res

ourc

eGro

up

obje

ct.g

etId

pdad

min

rsrc

grou

p

show

reso

urce

_gro

up_n

ame

GS

O

Res

ourc

e

Lis

t

GS

O

Gro

up

s

clic

k

GSO

reso

urce

grou

p

ivad

min

_sso

grou

p_g

etre

sou

rces

()

PD

SSO

Res

ourc

eGro

up

obje

ct.g

etS

SO

Res

ourc

es

pdad

min

rsrc

grou

p

show

reso

urce

_gro

up_n

ame

GS

O

Res

ourc

e

Lis

t

GS

O

Gro

up

s

clic

k

GSO

reso

urce

grou

p

ivad

min

_sso

grou

p_l

ist(

)

PD

SS

OR

esou

rceG

rou

p.li

stS

SO

Res

ourc

eGro

up

s

pdad

min

rsrc

grou

p

list

GS

O

Res

ourc

e

Lis

t

GS

O

Gro

up

s

ivad

min

_sso

grou

p_r

emov

eres

()

PD

SS

OR

esou

rceG

rou

p.r

emov

eSS

OR

esou

rce

PD

SSO

Res

ourc

eGro

up

obje

ct.r

emov

eSS

OR

esou

rce.

pdad

min

rsrc

grou

p

modi

fy

reso

urce

_gro

up_n

ame

remo

ve

rsrc

name

reso

urce

_nam

e

GS

O

Res

ourc

e

Lis

t

GS

O

Gro

up

s

clic

k

GSO

reso

urce

grou

p

sele

ct

mem

bers

Rem

ove

80

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_sso

web

_cre

ate(

)

PD

SS

OR

esou

rce.

crea

teS

SO

Res

ourc

e

pdad

min

rsrc

crea

te

reso

urce

_nam

e

[-de

sc

desc

ript

ion]

GS

O

Res

ourc

e

Cre

ate

GS

O

ivad

min

_sso

web

_del

ete(

)

PD

SS

OR

esou

rce.

del

eteS

SO

Res

ourc

e

pdad

min

rsrc

dele

te

reso

urce

_nam

e

GS

O

Res

ourc

e

Lis

t

GS

O

sele

ct

GSO

reso

urce

s

Del

ete

ivad

min

_sso

web

_get

()

PD

SS

OR

esou

rce

cons

truc

tor

pdad

min

rsrc

show

reso

urce

_nam

e

GS

O

Res

ourc

e

Lis

t

GS

O

clic

k

GSO

reso

urce

ivad

min

_sso

web

_get

des

crip

tion

()

PD

SSO

Res

ourc

e

obje

ct.g

etD

escr

ipti

on

pdad

min

rsrc

show

reso

urce

_nam

e

GS

O

Res

ourc

e

Lis

t

GS

O

clic

k

GSO

reso

urce

ivad

min

_sso

web

_get

id()

PD

SSO

Res

ourc

e

obje

ct.g

etId

pdad

min

rsrc

show

reso

urce

_nam

e

GS

O

Res

ourc

e

Lis

t

GS

O

clic

k

GSO

reso

urce

ivad

min

_sso

web

_lis

t()

PD

SS

OR

esou

rce.

list

SS

OR

esou

rces

pdad

min

rsrc

list

GS

O

Res

ourc

e

Lis

t

GS

O

ivad

min

_use

r_cr

eate

3()

PD

Use

r.cre

ateU

ser

pdad

min

user

crea

te

[-gs

ouse

r]

[-no

-pas

swor

d-po

licy

]

user

_nam

e

dn

cn

sn

pwd

(

grou

p1

grou

p2

...

)

Use

r

Cre

ate

Use

r

ivad

min

_use

r_d

elet

e2()

PD

Use

r.del

eteU

ser

pdad

min

user

dele

te

[-re

gist

ry]

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

sele

ct

user

nam

es

Del

ete

ivad

min

_use

r_ge

t()

PD

Use

r

cons

truc

tor

pdad

min

user

show

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

ivad

min

_use

r_ge

tacc

exp

dat

e()

PD

Pol

icy

obje

ct.g

etA

cctE

xpD

ate

pdad

min

user

get

acco

unt-

expi

ry-d

ate

[-us

er

user

_nam

e

]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_ge

tacc

oun

tval

id()

PD

Use

r

obje

ct.is

Acc

oun

tVal

id

pdad

min

user

show

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

ivad

min

_use

r_ge

tbyd

n()

PD

Use

r

cons

truc

tor

pdad

min

user

show

-dn

dn

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Appendix

D.

Administration

API

equivalents

81

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_use

r_ge

tcn

()

PD

Use

r

obje

ct.g

etFi

rstN

ame

pdad

min

user

show

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

ivad

min

_use

r_ge

tdes

crip

tion

()

PD

Use

r

obje

ct.g

etD

escr

ipti

on

pdad

min

user

show

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

ivad

min

_use

r_ge

tdis

able

tim

ein

t()

PD

Pol

icy

obje

ct.g

etA

cctD

isab

leT

imeI

nte

rval

pdad

min

poli

cy

get

disa

ble-

time

-int

erva

l

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_ge

tdn

()

PD

Use

r

obje

ct.g

etR

gyN

ame

pdad

min

user

show

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

ivad

min

_use

r_ge

tid

()

PD

Use

r

obje

ct.g

etId

pdad

min

user

show

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

ivad

min

_use

r_ge

tmax

lgn

fail

s()

PD

Pol

icy

obje

ct.g

etM

axFa

iled

Log

ins

pdad

min

poli

cy

get

max-

logi

n-fa

ilur

es

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_ge

tmax

pw

dag

e()

PD

Pol

icy

obje

ct.g

etM

axP

wd

Age

pdad

min

poli

cy

get

max-

pass

word

-age

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_ge

tmax

pw

dre

pch

ars(

)

PD

Pol

icy

obje

ct.g

etM

axP

wd

Rep

Ch

ars

pdad

min

poli

cy

get

max-

pass

word

-rep

eate

d-ch

ars

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_ge

tmem

ber

ship

s()

PD

Use

r

obje

ct.g

etG

rou

ps

pdad

min

user

show

-gro

ups

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Gro

up

s

tab

82

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_use

r_ge

tmin

pw

dal

ph

as()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Alp

has

pdad

min

poli

cy

get

min-

pass

word

-alp

has

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_ge

tmin

pw

dle

n()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Len

pdad

min

poli

cy

get

min-

pass

word

-len

gth

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_ge

tmin

pw

dn

onal

ph

as()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Non

Alp

has

pdad

min

poli

cy

get

min-

pass

word

-non

-alp

has

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_ge

tpas

swor

dva

lid

()

PD

Use

r

obje

ct.is

Pas

swor

dV

alid

pdad

min

user

show

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

ivad

min

_use

r_ge

tpw

dsp

aces

()

PD

Pol

icy

obje

ct.p

wd

Sp

aces

All

owed

pdad

min

poli

cy

get

pass

word

-spa

ces

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_ge

tsn

()

PD

Use

r

obje

ct.g

etL

astN

ame

pdad

min

user

show

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

not

appl

icab

le

PD

Use

r

obje

ct.is

PD

Use

r

pdad

min

user

show

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

ivad

min

_use

r_ge

tsso

use

r()

PD

Use

r

obje

ct.is

SS

OU

ser

pdad

min

user

show

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

ivad

min

_use

r_ge

ttod

acce

ss()

PD

Pol

icy

obje

ct.g

etA

cces

sib

leD

ays

PD

Pol

icy

obje

ct.g

etA

cces

sSta

rtT

ime

PD

Pol

icy

obje

ct.g

etA

cces

sEn

dT

ime

pdad

min

poli

cy

get

tod-

acce

ss

-use

r

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_im

por

t2()

PD

Use

r.im

por

tUse

r

pdad

min

user

impo

rt

[-gs

ouse

r]

user

_nam

e

dn

Use

r

Imp

ort

Use

r

Appendix

D.

Administration

API

equivalents

83

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_use

r_li

st()

PD

Use

r.lis

tUse

rs

pdad

min

user

list

patt

ern

max_

retu

rn

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

ivad

min

_use

r_li

stb

ydn

()

PD

Use

r.lis

tUse

rs

pdad

min

user

list

-dn

patt

ern

max_

retu

rn

Not

supp

orte

d.

ivad

min

_use

r_se

tacc

exp

dat

e()

PD

Pol

icy.

setA

cctE

xpD

ate

PD

Pol

icy

obje

ct.s

etA

cctE

xpD

ate

pdad

min

poli

cy

set

acco

unt-

expi

ry-d

ate

[unl

imit

ed

|

abso

lute

_tim

e

|

unse

t]

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_se

tacc

oun

tval

id()

PD

Use

r.set

Acc

oun

tVal

id

PD

Use

r

obje

ct.s

etA

ccou

ntV

alid

pdad

min

user

modi

fy

user

_nam

e

acco

unt-

vali

d

[yes

|

no]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Gen

eral

tab

ivad

min

_use

r_se

tdes

crip

tion

()

PD

Use

r.set

Des

crip

tion

PD

Use

r

obje

ct.s

etD

escr

ipti

on

pdad

min

user

modi

fy

user

_nam

e

desc

ript

ion

desc

ript

ion

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Gen

eral

tab

ivad

min

_use

r_se

tdis

able

tim

ein

t()

PD

Pol

icy.

setA

cctD

isab

leT

ime

PD

Pol

icy

obje

ct.s

etA

cctD

isab

leT

ime

pdad

min

poli

cy

set

disa

ble-

time

-int

erva

l

[num

ber

|

unse

t

|

disa

ble]

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_se

tmax

lgn

fail

s()

PD

Pol

icy.

setM

axFa

iled

Log

ins

PD

Pol

icy

obje

ct.s

etM

axFa

iled

Log

ins

pdad

min

poli

cy

set

max-

logi

n-fa

ilur

es

[num

ber

|

unse

t]

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_se

tmax

pw

dag

e()

PD

Pol

icy.

setM

axP

wd

Age

PD

Pol

icy

obje

ct.s

etM

axP

wd

Age

pdad

min

poli

cy

set

max-

pass

word

-age

[uns

et

|

rela

tive

_tim

e]

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_se

tmax

pw

dre

pch

ars(

)

PD

Pol

icy.

setM

axP

wd

Rep

Ch

ars

PD

Pol

icy

obje

ct.s

etM

axP

wd

Rep

Ch

ars

pdad

min

poli

cy

set

max-

pass

word

-rep

eate

d-ch

ars

[num

ber

|

unse

t]

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

84

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Tabl

e

31.

Map

ping

betw

een

adm

inis

trat

ion

C

AP

I,

Java

met

hods

,

the

com

man

d

line

inte

rfac

e,

and

Web

Por

tal

Man

ager

(con

tinue

d)

C

AP

I

Java

Cla

ss

and

Met

hod

Com

man

d

Lin

e

Eq

uiv

alen

t

Web

Por

tal

Man

ager

Eq

uiv

alen

t

ivad

min

_use

r_se

tmin

pw

dal

ph

as()

PD

Pol

icy.

setM

inP

wd

Alp

has

PD

Pol

icy

obje

ct.s

etM

inP

wd

Alp

has

pdad

min

poli

cy

set

min-

pass

word

-alp

has

[num

ber

|

unse

t]

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_se

tmin

pw

dle

n()

PD

Pol

icy.

setM

inP

wd

Len

PD

Pol

icy

obje

ct.s

etM

inP

wd

Len

pdad

min

poli

cy

set

min-

pass

word

-len

gth

[num

ber

|

unse

t]

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_se

tmin

pw

dn

onal

ph

as()

PD

Pol

icy.

setM

inP

wd

Non

Alp

has

PD

Pol

icy

obje

ct.s

etM

inP

wd

Non

Alp

has

pdad

min

poli

cy

set

min-

pass

word

-non

-alp

has

[num

ber

|

unse

t]

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_se

tpas

swor

d()

PD

Use

r.set

Pas

swor

d

PD

Use

r

obje

ct.s

etP

assw

ord

pdad

min

user

modi

fy

user

_nam

e

pass

word

pass

word

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Gen

eral

tab

ivad

min

_use

r_se

tpas

swor

dva

lid

()

PD

Use

r.set

Pas

swor

dV

alid

PD

Use

r

obje

ct.s

etP

assw

ord

Val

id

pdad

min

user

modi

fy

user

_nam

e

pass

word

-val

id

[yes

|

no]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Gen

eral

tab

ivad

min

_use

r_se

tpw

dsp

aces

()

PD

Pol

icy.

setP

wd

Sp

aces

All

owed

PD

Pol

icy

obje

ct.s

etP

wd

Sp

aces

All

owed

pdad

min

poli

cy

set

pass

word

-spa

ces

[yes

|

no

|

unse

t]

[-us

er

user

_nam

e]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

ivad

min

_use

r_se

tsso

use

r()

PD

Use

r.set

SS

OU

ser

PD

Use

r

obje

ct.s

etS

SO

Use

r

pdad

min

user

modi

fy

user

_nam

e

gsou

ser

[yes

|

no]

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Gen

eral

tab

ivad

min

_use

r_se

ttod

acce

ss()

PD

Pol

icy.

setT

odA

cces

s

PD

Pol

icy

obje

ct.s

etTo

dA

cces

s

pdad

min

poli

cy

set

tod-

acce

ss

tod_

valu

e

-use

r

user

_nam

e

Use

r

Sea

rch

Use

rs

ente

r

patt

ern

and

max

imum

resu

lts

Sea

rch

clic

k

user

nam

e

Pol

icy

tab

Appendix

D.

Administration

API

equivalents

85

86

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Appendix

E.

Notices

This

information

was

developed

for

products

and

services

offered

in

the

U.S.A.

IBM

may

not

offer

the

products,

services,

or

features

discussed

in

this

document

in

other

countries.

Consult

your

local

IBM

representative

for

information

on

the

products

and

services

currently

available

in

your

area.

Any

reference

to

an

IBM

product,

program,

or

service

is

not

intended

to

state

or

imply

that

only

that

IBM

product,

program,

or

service

may

be

used.

Any

functionally

equivalent

product,

program,

or

service

that

does

not

infringe

any

IBM

intellectual

property

right

may

be

used

instead.

However,

it

is

the

user’s

responsibility

to

evaluate

and

verify

the

operation

of

any

non-IBM

product,

program,

or

service.

IBM

may

have

patents

or

pending

patent

applications

covering

subject

matter

described

in

this

document.

The

furnishing

of

this

document

does

not

give

you

any

license

to

these

patents.

You

can

send

license

inquiries,

in

writing,

to:

IBM

Director

of

Licensing

IBM

Corporation

North

Castle

Drive

Armonk,

NY

10504-1785

U.S.A.

For

license

inquiries

regarding

double-byte

(DBCS)

information,

contact

the

IBM

Intellectual

Property

Department

in

your

country

or

send

inquiries,

in

writing,

to:

IBM

World

Trade

Asia

Corporation

Licensing

2-31

Roppongi

3-chome,

Minato-ku

Tokyo

106-0032,

Japan

The

following

paragraph

does

not

apply

to

the

United

Kingdom

or

any

other

country

where

such

provisions

are

inconsistent

with

local

law:

INTERNATIONAL

BUSINESS

MACHINES

CORPORATION

PROVIDES

THIS

PUBLICATION

“AS

IS”

WITHOUT

WARRANTY

OF

ANY

KIND,

EITHER

EXPRESS

OR

IMPLIED,

INCLUDING,

BUT

NOT

LIMITED

TO,

THE

IMPLIED

WARRANTIES

OF

NON-INFRINGEMENT,

MERCHANTABILITY

OR

FITNESS

FOR

A

PARTICULAR

PURPOSE.

Some

states

do

not

allow

disclaimer

of

express

or

implied

warranties

in

certain

transactions,

therefore,

this

statement

may

not

apply

to

you.

This

information

could

include

technical

inaccuracies

or

typographical

errors.

Changes

are

periodically

made

to

the

information

herein;

these

changes

will

be

incorporated

in

new

editions

of

the

publication.

IBM

may

make

improvements

and/or

changes

in

the

product(s)

and/or

the

program(s)

described

in

this

publication

at

any

time

without

notice.

Any

references

in

this

information

to

non-IBM

Web

sites

are

provided

for

convenience

only

and

do

not

in

any

manner

serve

as

an

endorsement

of

those

Web

sites.

The

materials

at

those

Web

sites

are

not

part

of

the

materials

for

this

IBM

product

and

use

of

those

Web

sites

is

at

your

own

risk.

IBM

may

use

or

distribute

any

of

the

information

you

supply

in

any

way

it

believes

appropriate

without

incurring

any

obligation

to

you.

©

Copyright

IBM

Corp.

2002,

2003

87

Licensees

of

this

program

who

wish

to

have

information

about

it

for

the

purpose

of

enabling:

(i)

the

exchange

of

information

between

independently

created

programs

and

other

programs

(including

this

one)

and

(ii)

the

mutual

use

of

the

information

which

has

been

exchanged,

should

contact:

IBM

Corporation

2Z4A/101

11400

Burnet

Road

Austin,

TX

78758

U.S.A.

Such

information

may

be

available,

subject

to

appropriate

terms

and

conditions,

including

in

some

cases,

payment

of

a

fee.

The

licensed

program

described

in

this

information

and

all

licensed

material

available

for

it

are

provided

by

IBM

under

terms

of

the

IBM

Customer

Agreement,

IBM

International

Program

License

Agreement,

or

any

equivalent

agreement

between

us.

Information

concerning

non-IBM

products

was

obtained

from

the

suppliers

of

those

products,

their

published

announcements

or

other

publicly

available

sources.

IBM

has

not

tested

those

products

and

cannot

confirm

the

accuracy

of

performance,

compatibility

or

any

other

claims

related

to

non-IBM

products.

Questions

on

the

capabilities

of

non-IBM

products

should

be

addressed

to

the

suppliers

of

those

products.

All

statements

regarding

IBM’s

future

direction

or

intent

are

subject

to

change

or

withdrawal

without

notice,

and

represent

goals

and

objectives

only.

This

information

contains

examples

of

data

and

reports

used

in

daily

business

operations.

To

illustrate

them

as

completely

as

possible,

the

examples

include

the

names

of

individuals,

companies,

brands,

and

products.

All

of

these

names

are

fictitious

and

any

similarity

to

the

names

and

addresses

used

by

an

actual

business

enterprise

is

entirely

coincidental.

COPYRIGHT

LICENSE:

This

information

contains

sample

application

programs

in

source

language,

which

illustrate

programming

techniques

on

various

operating

platforms.

You

may

copy,

modify,

and

distribute

these

sample

programs

in

any

form

without

payment

to

IBM,

for

the

purposes

of

developing,

using,

marketing

or

distributing

application

programs

conforming

to

the

application

programming

interface

for

the

operating

platform

for

which

the

sample

programs

are

written.

These

examples

have

not

been

thoroughly

tested

under

all

conditions.

IBM,

therefore,

cannot

guarantee

or

imply

reliability,

serviceability,

or

function

of

these

programs.

You

may

copy,

modify,

and

distribute

these

sample

programs

in

any

form

without

payment

to

IBM

for

the

purposes

of

developing,

using,

marketing,

or

distributing

application

programs

conforming

to

IBM’s

application

programming

interfaces.

If

you

are

viewing

this

information

softcopy,

the

photographs

and

color

illustrations

may

not

appear.

Trademarks

The

following

terms

are

trademarks

or

registered

trademarks

of

International

Business

Machines

Corporation

in

the

United

States,

other

countries,

or

both:

88

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

AIX

DB2

IBM

IBM

logo

OS/390

SecureWay

Tivoli

Tivoli

logo

Universal

Database

WebSphere

z/OS

zSeries

Lotus

is

a

registered

trademark

of

Lotus

Development

Corporation

and/or

IBM

Corporation.

Domino

is

a

trademark

of

International

Business

Machines

Corporation

and

Lotus

Development

Corporation

in

the

United

States,

other

countries,

or

both.

Microsoft

and

Windows

are

trademarks

of

Microsoft

Corporation

in

the

United

States,

other

countries,

or

both.

Java

and

all

Java-based

trademarks

and

logos

are

trademarks

or

registered

trademarks

of

Sun

Microsystems,

Inc.

in

the

United

States

and

other

countries.

UNIX

is

a

registered

trademark

of

The

Open

Group

in

the

United

States

and

other

countries.

Other

company,

product,

and

service

names

may

be

trademarks

or

service

marks

of

others.

Appendix

E.

Notices

89

90

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Glossary

A

access

control.

In

computer

security,

the

process

of

ensuring

that

the

resources

of

a

computer

system

can

be

accessed

only

by

authorized

users

in

authorized

ways.

access

control

list

(ACL).

In

computer

security,

a

list

that

is

associated

with

an

object

that

identifies

all

the

subjects

that

can

access

the

object

and

their

access

rights.

For

example,

an

access

control

list

is

a

list

that

is

associated

with

a

file

that

identifies

the

users

who

can

access

the

file

and

identifies

the

users’

access

rights

to

that

file.

access

permission.

The

access

privilege

that

applies

to

the

entire

object.

action.

An

access

control

list

(ACL)

permission

attribute.

See

also

access

control

list.

ACL.

See

access

control

list.

administration

service.

An

authorization

API

runtime

plug-in

that

can

be

used

to

perform

administration

requests

on

a

Tivoli

Access

Manager

resource

manager

application.

The

administration

service

will

respond

to

remote

requests

from

the

pdadmin

command

to

perform

tasks,

such

as

listing

the

objects

under

a

particular

node

in

the

protected

object

tree.

Customers

may

develop

these

services

using

the

authorization

ADK.

attribute

list.

A

linked

list

that

contains

extended

information

that

is

used

to

make

authorization

decisions.

Attribute

lists

consist

of

a

set

of

name

=

value

pairs.

authentication.

(1)

In

computer

security,

verification

of

the

identity

of

a

user

or

the

user’s

eligibility

to

access

an

object.

(2)

In

computer

security,

verification

that

a

message

has

not

been

altered

or

corrupted.

(3)

In

computer

security,

a

process

that

is

used

to

verify

the

user

of

an

information

system

or

of

protected

resources.

See

also

multi-factor

authentication,

network-based

authentication,

and

step-up

authentication.

authorization.

(1)

In

computer

security,

the

right

granted

to

a

user

to

communicate

with

or

make

use

of

a

computer

system.

(2)

The

process

of

granting

a

user

either

complete

or

restricted

access

to

an

object,

resource,

or

function.

authorization

rule.

See

rule.

authorization

service

plug-in.

A

dynamically

loadable

library

(DLL

or

shared

library)

that

can

be

loaded

by

the

Tivoli

Access

Manager

authorization

API

runtime

client

at

initialization

time

in

order

to

perform

operations

that

extend

a

service

interface

within

the

Authorization

API.

The

service

interfaces

that

are

currently

available

include

Administration,

External

Authorization,

Credentials

modification,

Entitlements

and

PAC

manipulation

interfaces.

Customers

may

develop

these

services

using

the

authorization

ADK.

B

BA.

See

basic

authentication.

basic

authentication.

A

method

of

authentication

that

requires

the

user

to

enter

a

valid

user

name

and

password

before

access

to

a

secure

online

resource

is

granted.

bind.

To

relate

an

identifier

to

another

object

in

a

program;

for

example,

to

relate

an

identifier

to

a

value,

an

address

or

another

identifier,

or

to

associate

formal

parameters

and

actual

parameters.

blade.

A

component

that

provides

application-specific

services

and

components.

business

entitlement.

The

supplemental

attribute

of

a

user

credential

that

describes

the

fine-grained

conditions

that

can

be

used

in

the

authorization

of

requests

for

resources.

C

CA.

See

certificate

authority.

CDAS.

See

Cross

Domain

Authentication

Service.

CDMF.

See

Cross

Domain

Mapping

Framework.

certificate.

In

computer

security,

a

digital

document

that

binds

a

public

key

to

the

identity

of

the

certificate

owner,

thereby

enabling

the

certificate

owner

to

be

authenticated.

A

certificate

is

issued

by

a

certificate

authority.

certificate

authority

(CA).

An

organization

that

issues

certificates.

The

certificate

authority

authenticates

the

certificate

owner’s

identity

and

the

services

that

the

owner

is

authorized

to

use,

issues

new

certificates,

renews

existing

certificates,

and

revokes

certificates

belonging

to

users

who

are

no

longer

authorized

to

use

them.

CGI.

See

common

gateway

interface.

©

Copyright

IBM

Corp.

2002,

2003

91

cipher.

Encrypted

data

that

is

unreadable

until

it

has

been

converted

into

plain

data

(decrypted)

with

a

key.

common

gateway

interface

(CGI).

An

Internet

standard

for

defining

scripts

that

pass

information

from

a

Web

server

to

an

application

program,

through

an

HTTP

request,

and

vice

versa.

A

CGI

script

is

a

CGI

program

that

is

written

in

a

scripting

language,

such

as

Perl.

configuration.

(1)

The

manner

in

which

the

hardware

and

software

of

an

information

processing

system

are

organized

and

interconnected.

(2)

The

machines,

devices,

and

programs

that

make

up

a

system,

subsystem,

or

network.

connection.

(1)

In

data

communication,

an

association

established

between

functional

units

for

conveying

information.

(2)

In

TCP/IP,

the

path

between

two

protocol

applications

that

provides

reliable

data

stream

delivery

service.

In

the

Internet,

a

connection

extends

from

a

TCP

application

on

one

system

to

a

TCP

application

on

another

system.

(3)

In

system

communications,

a

line

over

which

data

can

be

passed

between

two

systems

or

between

a

system

and

a

device.

container

object.

A

structural

designation

that

organizes

the

object

space

into

distinct

functional

regions.

cookie.

Information

that

a

server

stores

on

a

client

machine

and

accesses

during

subsequent

sessions.

Cookies

allow

servers

to

remember

specific

information

about

clients.

credentials.

Detailed

information,

acquired

during

authentication,

that

describes

the

user,

any

group

associations,

and

other

security-related

identity

attributes.

Credentials

can

be

used

to

perform

a

multitude

of

services,

such

as

authorization,

auditing,

and

delegation.

credentials

modification

service.

An

authorization

API

runtime

plug-in

which

can

be

used

to

modify

a

Tivoli

Access

Manager

credential.

Credentials

modification

services

developed

externally

by

customers

are

limited

to

performing

operation

to

add

and

remove

from

the

credentials

attribute

list

and

only

to

those

attributes

that

are

considered

modifiable.

cross

domain

authentication

service

(CDAS).

A

WebSEAL

service

that

provides

a

shared

library

mechanism

that

allows

you

to

substitute

the

default

WebSEAL

authentication

mechanisms

with

a

custom

process

that

returns

a

Tivoli

Access

Manager

identity

to

WebSEAL.

See

also

WebSEAL.

cross

domain

mapping

framework

(CDMF).

A

programming

interface

that

allows

a

developer

to

customize

the

mapping

of

user

identities

and

the

handling

of

user

attributes

when

WebSEAL

e-Community

SSO

function

are

used.

D

daemon.

A

program

that

runs

unattended

to

perform

continuous

or

periodic

systemwide

functions,

such

as

network

control.

Some

daemons

are

triggered

automatically

to

perform

their

task;

others

operate

periodically.

directory

schema.

The

valid

attribute

types

and

object

classes

that

can

appear

in

a

directory.

The

attribute

types

and

object

classes

define

the

syntax

of

the

attribute

values,

which

attributes

must

be

present,

and

which

attributes

may

be

present

for

the

directory.

distinguished

name

(DN).

The

name

that

uniquely

identifies

an

entry

in

a

directory.

A

distinguished

name

is

made

up

of

attribute:value

pairs,

separated

by

commas.

digital

signature.

In

e-commerce,

data

that

is

appended

to,

or

is

a

cryptographic

transformation

of,

a

data

unit

and

that

enables

the

recipient

of

the

data

unit

to

verify

the

source

and

integrity

of

the

unit

and

to

recognize

potential

forgery.

DN.

See

distinguished

name.

domain.

(1)

A

logical

grouping

of

users,

systems,

and

resources

that

share

common

services

and

usually

function

with

a

common

purpose.

(2)

That

part

of

a

computer

network

in

which

the

data

processing

resources

are

under

common

control.

See

also

domain

name.

domain

name.

In

the

Internet

suite

of

protocols,

a

name

of

a

host

system.

A

domain

name

consists

of

a

sequence

of

subnames

that

are

separated

by

a

delimiter

character.

For

example,

if

the

fully

qualified

domain

name

(FQDN)

of

a

host

system

is

as400.rchland.vnet.ibm.com,

each

of

the

following

is

a

domain

name:

as400.rchland.vnet.ibm.com,

vnet.ibm.com,

ibm.com.

E

EAS.

See

External

Authorization

Service.

encryption.

In

computer

security,

the

process

of

transforming

data

into

an

unintelligible

form

in

such

a

way

that

the

original

data

either

cannot

be

obtained

or

can

be

obtained

only

by

using

a

decryption

process.

entitlement.

A

data

structure

that

contains

externalized

security

policy

information.

Entitlements

contain

policy

data

or

capabilities

that

are

formatted

in

a

way

that

is

understandable

to

a

specific

application.

entitlement

service.

An

authorization

API

runtime

plug-in

which

can

be

used

to

return

entitlements

from

an

external

source

for

a

principal

or

set

of

conditions.

Entitlements

are

normally

application

specific

data

that

will

be

consumed

by

the

resource

manager

application

92

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

in

some

way

or

added

to

the

principal’s

credentials

for

use

further

on

in

the

authorization

process.

Customers

may

develop

these

services

using

the

authorization

ADK.

external

authorization

service.

An

authorization

API

runtime

plug-in

that

can

be

used

to

make

application

or

environment

specific

authorization

decisions

as

part

of

the

Tivoli

Access

Manager

authorization

decision

chain.

Customers

may

develop

these

services

using

the

authorization

ADK.

F

file

transfer

protocol

(FTP).

In

the

Internet

suite

of

protocols,

an

application

layer

protocol

that

uses

Transmission

Control

Protocol

(TCP)

and

Telnet

services

to

transfer

bulk-data

files

between

machines

or

hosts.

G

global

signon

(GSO).

A

flexible

single

sign-on

solution

that

enables

the

user

to

provide

alternative

user

names

and

passwords

to

the

back-end

Web

application

server.

Global

signon

grants

users

access

to

the

computing

resources

they

are

authorized

to

use

through

a

single

login.

Designed

for

large

enterprises

consisting

of

multiple

systems

and

applications

within

heterogeneous,

distributed

computing

environments,

GSO

eliminates

the

need

for

users

to

manage

multiple

user

names

and

passwords.

See

also

single

signon.

GSO.

See

global

signon.

H

host.

A

computer

that

is

connected

to

a

network

(such

as

the

Internet

or

an

SNA

network)

and

provides

an

access

point

to

that

network.

Also,

depending

on

the

environment,

the

host

may

provide

centralized

control

of

the

network.

The

host

can

be

a

client,

a

server,

or

both

a

client

and

a

server

simultaneously.

HTTP.

See

Hypertext

Transfer

Protocol.

hypertext

transfer

protocol

(HTTP).

In

the

Internet

suite

of

protocols,

the

protocol

that

is

used

to

transfer

and

display

hypertext

documents.

I

Internet

protocol

(IP).

In

the

Internet

suite

of

protocols,

a

connectionless

protocol

that

routes

data

through

a

network

or

interconnected

networks

and

acts

as

an

intermediary

between

the

higher

protocol

layers

and

the

physical

network.

Internet

suite

of

protocols.

A

set

of

protocols

developed

for

use

on

the

Internet

and

published

as

Requests

for

Comments

(RFCs)

through

the

Internet

Engineering

Task

Force

(IETF).

interprocess

communication

(IPC).

(1)

The

process

by

which

programs

communicate

data

to

each

other

and

synchronize

their

activities.

Semaphores,

signals,

and

internal

message

queues

are

common

methods

of

interprocess

communication.

(2)

A

mechanism

of

an

operating

system

that

allows

processes

to

communicate

with

each

other

within

the

same

computer

or

over

a

network.

IP.

See

Internet

Protocol.

IPC.

See

Interprocess

Communication.

J

junction.

An

HTTP

or

HTTPS

connection

between

a

front-end

WebSEAL

server

and

a

back-end

Web

application

server.

WebSEAL

uses

a

junction

to

provide

protective

services

on

behalf

of

the

back-end

server.

K

key.

In

computer

security,

a

sequence

of

symbols

that

is

used

with

a

cryptographic

algorithm

for

encrypting

or

decrypting

data.

See

private

key

and

public

key.

key

database

file.

See

key

ring.

key

file.

See

key

ring.

key

pair.

In

computer

security,

a

public

key

and

a

private

key.

When

the

key

pair

is

used

for

encryption,

the

sender

uses

the

public

key

to

encrypt

the

message,

and

the

recipient

uses

the

private

key

to

decrypt

the

message.

When

the

key

pair

is

used

for

signing,

the

signer

uses

the

private

key

to

encrypt

a

representation

of

the

message,

and

the

recipient

uses

the

public

key

to

decrypt

the

representation

of

the

message

for

signature

verification.

key

ring.

In

computer

security,

a

file

that

contains

public

keys,

private

keys,

trusted

roots,

and

certificates.

L

LDAP.

See

Lightweight

Directory

Access

Protocol.

lightweight

directory

access

protocol

(LDAP).

An

open

protocol

that

(a)

uses

TCP/IP

to

provide

access

to

directories

that

support

an

X.500

model

and

(b)

does

not

incur

the

resource

requirements

of

the

more

complex

X.500

Directory

Access

Protocol

(DAP).

Applications

that

use

LDAP

(known

as

directory-enabled

applications)

can

use

the

directory

as

a

common

data

store

and

for

retrieving

information

about

people

or

services,

such

as

e-mail

addresses,

public

keys,

or

service-specific

configuration

parameters.

LDAP

was

originally

specified

in

RFC

Glossary

93

1777.

LDAP

version

3

is

specified

in

RFC

2251,

and

the

IETF

continues

work

on

additional

standard

functions.

Some

of

the

IETF-defined

standard

schemas

for

LDAP

are

found

in

RFC

2256.

lightweight

third

party

authentication

(LTPA).

An

authentication

framework

that

allows

single

sign-on

across

a

set

of

Web

servers

that

fall

within

an

Internet

domain.

LTPA.

See

lightweight

third

party

authentication.

M

management

domain.

The

default

domain

in

which

Tivoli

Access

Manager

enforces

security

policies

for

authentication,

authorization,

and

access

control.

This

domain

is

created

when

the

policy

server

is

configured.

See

also

domain.

management

server.

Obsolete.

See

policy

server.

metadata.

Data

that

describes

the

characteristics

of

stored

data.

migration.

The

installation

of

a

new

version

or

release

of

a

program

to

replace

an

earlier

version

or

release.

multi-factor

authentication.

A

protected

object

policy

(POP)

that

forces

a

user

to

authenticate

using

two

or

more

levels

of

authentication.

For

example,

the

access

control

on

a

protected

resource

can

require

that

the

users

authenticate

with

both

user

name/password

and

user

name/token

passcode.

See

also

protected

object

policy.

multiplexing

proxy

agent

(MPA).

A

gateway

that

accommodates

multiple

client

access.

These

gateways

are

sometimes

known

as

Wireless

Access

Protocol

(WAP)

gateways

when

clients

access

a

secure

domain

using

a

WAP.

Gateways

establish

a

single

authenticated

channel

to

the

originating

server

and

tunnel

all

client

requests

and

responses

through

this

channel.

N

network-based

authentication.

A

protected

object

policy

(POP)

that

controls

access

to

objects

based

on

the

internet

protocol

(IP)

address

of

the

user.

See

also

protected

object

policy.

P

PAC.

See

privilege

attribute

certificate.

permission.

The

ability

to

access

a

protected

object,

such

as

a

file

or

directory.

The

number

and

meaning

of

permissions

for

an

object

are

defined

by

the

access

control

list

(ACL).

See

also

access

control

list.

policy.

A

set

of

rules

that

are

applied

to

managed

resources.

policy

server.

The

Tivoli

Access

Manager

server

that

maintains

the

location

information

about

other

servers

in

the

secure

domain.

polling.

The

process

by

which

databases

are

interrogated

at

regular

intervals

to

determine

if

data

needs

to

be

transmitted.

POP.

See

protected

object

policy.

portal.

An

integrated

Web

site

that

dynamically

produces

a

customized

list

of

Web

resources,

such

as

links,

content,

or

services,

available

to

a

specific

user,

based

on

the

access

permissions

for

the

particular

user.

privilege

attribute

certificate.

A

digital

document

that

contains

a

principal’s

authentication

and

authorization

attributes

and

a

principal’s

capabilities.

privilege

attribute

certificate

service.

An

authorization

API

runtime

client

plug-in

which

translates

a

PAC

of

a

predetermined

format

in

to

a

Tivoli

Access

Manager

credential,

and

vice-versa.

These

services

could

also

be

used

to

package

or

marshall

a

Tivoli

Access

Manager

credential

for

transmission

to

other

members

of

the

secure

domain.

Customers

may

develop

these

services

using

the

authorization

ADK.

See

also

privilege

attribute

certificate.

protected

object.

The

logical

representation

of

an

actual

system

resource

that

is

used

for

applying

ACLs

and

POPs

and

for

authorizing

user

access.

See

also

protected

object

policy

and

protected

object

space.

protected

object

policy

(POP).

A

type

of

security

policy

that

imposes

additional

conditions

on

the

operation

permitted

by

the

ACL

policy

to

access

a

protected

object.

It

is

the

responsibility

of

the

resource

manager

to

enforce

the

POP

conditions.

See

also

access

control

list,

protected

object,

and

protected

object

space.

protected

object

space.

The

virtual

object

representation

of

actual

system

resources

that

is

used

for

applying

ACLs

and

POPs

and

for

authorizing

user

access.

See

also

protected

object

and

protected

object

policy.

private

key.

In

computer

security,

a

key

that

is

known

only

to

its

owner.

Contrast

with

public

key.

public

key.

In

computer

security,

a

key

that

is

made

available

to

everyone.

Contrast

with

private

key.

Q

quality

of

protection.

The

level

of

data

security,

determined

by

a

combination

of

authentication,

integrity,

and

privacy

conditions.

94

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

R

registry.

The

datastore

that

contains

access

and

configuration

information

for

users,

systems,

and

software.

replica.

A

server

that

contains

a

copy

of

the

directory

or

directories

of

another

server.

Replicas

back

up

servers

in

order

to

enhance

performance

or

response

times

and

to

ensure

data

integrity.

resource

object.

The

representation

of

an

actual

network

resource,

such

as

a

service,

file,

and

program.

response

file.

A

file

that

contains

a

set

of

predefined

answers

to

questions

asked

by

a

program

and

that

is

used

instead

of

entering

those

values

one

at

a

time.

role

activation.

The

process

of

applying

the

access

permissions

to

a

role.

role

assignment.

The

process

of

assigning

a

role

to

a

user,

such

that

the

user

has

the

appropriate

access

permissions

for

the

object

defined

for

that

role.

routing

file.

An

ASCII

file

that

contains

commands

that

control

the

configuration

of

messages.

RSA

encryption.

A

system

for

public-key

cryptography

used

for

encryption

and

authentication.

It

was

invented

in

1977

by

Ron

Rivest,

Adi

Shamir,

and

Leonard

Adleman.

The

system’s

security

depends

on

the

difficulty

of

factoring

the

product

of

two

large

prime

numbers.

rule.

One

or

more

logical

statements

that

enable

the

event

server

to

recognize

relationships

among

events

(event

correlation)

and

to

execute

automated

responses

accordingly.

run

time.

The

time

period

during

which

a

computer

program

is

executing.

A

runtime

environment

is

an

execution

environment.

S

scalability.

The

ability

of

a

network

system

to

respond

to

increasing

numbers

of

users

who

access

resources.

schema.

The

set

of

statements,

expressed

in

a

data

definition

language,

that

completely

describe

the

structure

of

a

database.

In

a

relational

database,

the

schema

defines

the

tables,

the

fields

in

each

table,

and

the

relationships

between

fields

and

tables.

secure

sockets

layer

(SSL).

A

security

protocol

that

provides

communication

privacy.

SSL

enables

client/server

applications

to

communicate

in

a

way

that

is

designed

to

prevent

eavesdropping,

tampering,

and

message

forgery.

SSL

was

developed

by

Netscape

Communications

Corp.

and

RSA

Data

Security,

Inc.

security

management.

The

management

discipline

that

addresses

an

organization’s

ability

to

control

access

to

applications

and

data

that

are

critical

to

its

success.

self-registration.

The

process

by

which

a

user

can

enter

required

data

and

become

a

registered

Tivoli

Access

Manager

user,

without

the

involvement

of

an

administrator.

service.

Work

performed

by

a

server.

A

service

can

be

a

simple

request

for

data

to

be

sent

or

stored

(as

with

file

servers,

HTTP

servers,

e-mail

servers,

and

finger

servers),

or

it

can

be

more

complex

work

such

as

that

of

print

servers

or

process

servers.

silent

installation.

An

installation

that

does

not

send

messages

to

the

console

but

instead

stores

messages

and

errors

in

log

files.

Also,

a

silent

installation

can

use

response

files

for

data

input.

See

also

response

file.

single

signon

(SSO).

The

ability

of

a

user

to

logon

once

and

access

multiple

applications

without

having

to

logon

to

each

application

separately.

See

also

global

signon.

SSL.

See

Secure

Sockets

Layer.

SSO.

See

single

signon.

step-up

authentication.

A

protected

object

policy

(POP)

that

relies

on

a

preconfigured

hierarchy

of

authentication

levels

and

enforces

a

specific

level

of

authentication

according

to

the

policy

set

on

a

resource.

The

step-up

authentication

POP

does

not

force

the

user

to

authenticate

using

multiple

levels

of

authentication

to

access

any

given

resource

but

requires

the

user

to

authenticate

at

a

level

at

least

as

high

as

that

required

by

the

policy

protecting

a

resource.

suffix.

A

distinguished

name

that

identifies

the

top

entry

in

a

locally

held

directory

hierarchy.

Because

of

the

relative

naming

scheme

used

in

Lightweight

Directory

Access

Protocol

(LDAP),

this

suffix

applies

to

every

other

entry

within

that

directory

hierarchy.

A

directory

server

can

have

multiple

suffixes,

each

identifying

a

locally

held

directory

hierarchy.

T

token.

(1)

In

a

local

area

network,

the

symbol

of

authority

passed

successively

from

one

data

station

to

another

to

indicate

the

station

temporarily

in

control

of

the

transmission

medium.

Each

data

station

has

an

opportunity

to

acquire

and

use

the

token

to

control

the

medium.

A

token

is

a

particular

message

or

bit

pattern

that

signifies

permission

to

transmit.

(2)

In

local

area

networks

(LANs),

a

sequence

of

bits

passed

from

one

device

to

another

along

the

transmission

medium.

When

the

token

has

data

appended

to

it,

it

becomes

a

frame.

Glossary

95

trusted

root.

In

the

Secure

Sockets

Layer

(SSL),

the

public

key

and

associated

distinguished

name

of

a

certificate

authority

(CA).

U

uniform

resource

identifier

(URI).

The

character

string

used

to

identify

content

on

the

Internet,

including

the

name

of

the

resource

(a

directory

and

file

name),

the

location

of

the

resource

(the

computer

where

the

directory

and

file

name

exist),

and

how

the

resource

can

be

accessed

(the

protocol,

such

as

HTTP).

An

example

of

a

URI

is

a

uniform

resource

locator,

or

URL.

uniform

resource

locator

(URL).

A

sequence

of

characters

that

represent

information

resources

on

a

computer

or

in

a

network

such

as

the

Internet.

This

sequence

of

characters

includes

(a)

the

abbreviated

name

of

the

protocol

used

to

access

the

information

resource

and

(b)

the

information

used

by

the

protocol

to

locate

the

information

resource.

For

example,

in

the

context

of

the

Internet,

these

are

abbreviated

names

of

some

protocols

used

to

access

various

information

resources:

http,

ftp,

gopher,

telnet,

and

news;

and

this

is

the

URL

for

the

IBM

home

page:

http://www.ibm.com.

URI.

See

uniform

resource

identifier.

URL.

See

uniform

resource

locator.

user.

Any

person,

organization,

process,

device,

program,

protocol,

or

system

that

uses

a

service

provided

by

others.

user

registry.

See

registry.

V

virtual

hosting.

The

capability

of

a

Web

server

that

allows

it

to

appear

as

more

than

one

host

to

the

Internet.

W

Web

Portal

Manager

(WPM).

A

Web-based

graphical

application

used

to

manage

Tivoli

Access

Manager

Base

and

WebSEAL

security

policy

in

a

secure

domain.

An

alternative

to

the

pdadmin

command

line

interface,

this

GUI

enables

remote

administrator

access

and

enables

administrators

to

create

delegated

user

domains

and

assign

delegate

administrators

to

these

domains.

WebSEAL.

A

Tivoli

Access

Manager

blade.

WebSEAL

is

a

high

performance,

multi-threaded

Web

server

that

applies

a

security

policy

to

a

protected

object

space.

WebSEAL

can

provide

single

sign-on

solutions

and

incorporate

back-end

Web

application

server

resources

into

its

security

policy.

WPM.

See

Web

Portal

Manager.

96

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

Index

Aaccess

control

list

entries,

table

31

access

control

list

entry

types

30

access

control

lists,

table

30

account

functions,

table

21,

22

accounts

20

action

group

functions,

table

32

action

groupsoverview

32

adding

development

systems

3

ADK

component

2

administration

tasks

49

any-authenticated

30

any-other

30

API

differences

61

application

developer

kit

(ADK)

2

application

development

kit

(ADK)

2

application,

deploying

5

applications,

building

3

audit

log

37

audit

records

37

authenticationcertificate-based

13

user

ID

and

password-based

12

authorization

rulesadministering

39

methods

39

authorization

server

6

Bbuilding

applications

3

Ccom.tivoli.mts.SrvSslCfg()

55

com.tivoli.nts.PDAttrs

55

com.tivoli.nts.PDAttrs.get()

55

com.tivoli.nts.PDAttrs()

55

com.tivoli.nts.PDAttrValue

55

com.tivoli.nts.PDAttrValueList

55

com.tivoli.nts.PDStatics

55

com.tivoli.pd.jadmin.PDProtObject

constructor

55

com.tivoli.pd.jadmin.PDProtObject.listProtectedObjects

55

com.tivoli.pd.jadmin.PDServer.getTaskList

55

com.tivoli.pd.jadmin.PDServer.performTask

55

com.tivoli.pd.PDAppSvrConfig.configureAppSvr()

55

commands,

pdadmin

2

commands,

svrsslcfg

2

components

2

createGroup

method

23

createUser

method

19

Ddemonstration

program

5

deploying

an

application

5

deprecated

classes

and

methods

55

com.tivoli.mts.SrvSslCfgs()

55

deprecated

classes

and

methods

(continued)com.tivoli.nts.PDAttrs

55

com.tivoli.nts.PDAttrs.get()

55

com.tivoli.nts.PDAttrs()

55

com.tivoli.nts.PDAttrValue

55

com.tivoli.nts.PDAttrValueList

55

com.tivoli.nts.PDStatics

55

com.tivoli.pd.jadmin.PDProtObject

constructor

55

com.tivoli.pd.jadmin.PDProtObject.listProtectedObjects

55

com.tivoli.pd.jadmin.PDServer.getTaskList

55

com.tivoli.pd.jadmin.PDServer.performTask

55

com.tivoli.pd.PDAppSvrConfig.configureAppSvr()

55

PDProtObject.getAcl

55

PDProtObject.getAuthzRule

55

PDProtObject.getPop

55

development

systems,

adding

3

domainsadministering

45

management

45

methods

for

administering

45

Eexample

program

5

extended

action

functions,

table

33

extended

actions,

overview

33

Ffiles,

installation

directories

3

GgetLocalDomainName

45

getMgmtDomainName

45

getting

administration

tasks

49

group

attributes,

table

24

group

functions,

table

24

groupsaccess

control

list

entry

type

30

overview

19

IIBM

SecureWay

Directory

client

4

initializing

API

12

installation

3

installation

directories

3

installation

requirements

3

JJava

classes

1

Javadoc

information

2

Llog

files

6,

7

©

Copyright

IBM

Corp.

2002,

2003

97

loggingmessages

6

PDJTracelogger

6

trace

output

7

Mmanagement

domain

45

message

logging

6

methodsPDAcl.listAcls

17

PDAdmin.initialize

12

PDAdmin.shutdown

18

PDAuthzRule.listAuthzRules

17

PDDomain.listDomains

17

PDGroup.createGroup

23

PDGroup.importGroup

23

PDGroup.listGroups

17

PDPolicy.acctDisableTimeEnforced

21

PDPolicy.acctDisableTimeUnlimited

21

PDPolicy.acctExpDateEnforced

21

PDPolicy.acctExpDateUnlimited

21

PDPolicy.getAccessEndTime

22

PDPolicy.getAccessibleDays

22

PDPolicy.getAccessStartTime

22

PDPolicy.getAccessTimezone

22

PDPolicy.getAcctDisableTimeInterval

21

PDPolicy.getAcctExpDate

21

PDPolicy.getMaxFailedLogins

22

PDPolicy.maxFailedLoginsEnforced

22

PDPolicy.setAcctDisableTime

22

PDPolicy.setAcctExpDate

22

PDPolicy.setMaxFailedLogins

22

PDPolicy.setTodAccess

22

PDPolicy.todAccessEnforced

22

PDProtObject.listProtObjects

17

PDProtObject.listProtObjectsByAcl

17

PDProtObjectSpace.listProtObjectSpaces

17

PDUser.createUser

14,

19,

20

PDUser.deleteUser

17,

19,

20

PDUser.getDescription

16,

20

PDUser.getFirstName

20

PDUser.getGroups

20

PDUser.getId

20

PDUser.getLastName

20

PDUser.getPolicy

20

PDUser.getRgyName

20

PDUser.getUserRgy

21

PDUser.importUser

19,

20

PDUser.isAccountValid

20

PDUser.isPDUser

20

PDUser.isSSOUser

21

PDUser.listUsers

17,

20

PDUser.setAccountValid

16,

21

PDUser.setDescription

21

PDUser.setPassword

21

PDUser.setPasswordValid

21

PDUser.setSSOUser

21

Nnotification

wait

time

50

Oobjects

PDAcl

10,

30

PDAclEntry

10,

30

PDAclEntryAnyOther

10,

30

PDAclEntryGroup

10,

30

PDAclEntryUnAuth

10,

30

PDAclEntryUser

10,

30

PDAction

10

PDActionGroup

10

PDAdmin

9

PDAdmSvcPobj

10

PDAppSvrInfo

11

PDAppSvrSpecLocal

11

PDAppSvrSpecRemote

11

PDAttrs

11

PDAttrValue

11

PDAttrValueList

12

PDAttrValues

12

PDContext

9,

53

PDException

11,

53

PDGroup

9,

23

PDMessage

11,

17

PDMessages

11,

17,

53

PDPolicy

10,

21

PDPop

10

PDProtObject

10

PDProtObjectSpace

10,

25

PDRgyGroupName

10

PDRgyName

11

PDRgyUserName

10

PDServer

11

PDSSOCred.CredID

11

PDSSOCred.CredInfo

11

PDSSOResource

11

PDSSOResourceGroup

11

PDSvrInfo

11

PDUser

9,

19

Ppassword

functions,

table

22,

23

passwords

21,

22

PD.jar

file

1

pdacld

server

6

pdadmin

command

line

utility

2

PDContext

object

53

PDException

object

53

PDGroup

23

PDJlog.properties

6,

7

PDJTraceLogger

6

PDMessages

object

53

pdmgrd

server

6

PDProtObject.getAcl

55

PDProtObject.getAuthzRule

55

PDProtObject.getPop

55

PDUser

19

PDUser.deleteUser

method

19

performing

administration

tasks

49

policy

server

6

problem

determination

5

protected

object

attributes

27

protected

object

functions,

table

26,

27

protected

object

policies

35

administering

35

defined

25

98

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

protected

object

policy

(POP)

25

protected

object

policy

extended

attributes

37

protected

object

policy

extended

attributes,

table

37

protected

object

policy

objects

35

protected

object

policy

objects,

table

35

protected

object

policy

settings

36

protected

object

policy

settings,

table

37

protected

object

space

functions,

table

26

protected

object

spaces

25

protected

objects

25,

26

Rregistry,

user

4

related

publications

xi

replica

databases,

notification

threads

50

replica

databases,

notifying

of

updates

49,

50

requirements,

for

installation

3

response

processing

53

Ssecure

domain

3

Secure

Sockets

Layer

(SSL)

2

security

context

12,

53

servers

and

databases,

table

51

software

requirements

3

svrsslcfg

command

line

utility

2

Ttracing

Java

classes

7

Uunauthenticated

30

Unicode

18

user

account

functions,

table

21,

22

user

accounts

20

user

functions,

table

20

user

password

functions,

table

22,

23

user

passwords

21,

22

user

registry

4

differences

xv,

57

maximum

values

58,

59

users

19,

30

using

the

administration

API

9

UTF-8

18

Wwait

time

50

warning

attribute

37

Index

99

100

IBM

Tivoli

Access

Manager

for

e-business:

Administration

Java

Classes

Developer

Reference

����

Printed

in

USA

SC32-1356-00