To Grant Access to IBM WebSphere Application Server 5.1.1 Administration Console (Sun Java System Access Manager Policy Agent 2.2 Guide for IBM WebSphere Application Server 5.1.1)

Sun Java System Access Manager Policy Agent 2.2 Guide for IBM WebSphere Application Server 5.1.1

To Grant Access to IBM WebSphere Application Server 5.1.1 Administration Console

Granting specific Access Manager roles the ability to access the IBM WebSphere Application Server 5.1.1 Administration Console requires that you change the mapping in the admin-authz.xml file to the appropriate roles.

Two methods are available to you for performing this task. You can use the agentadmin --setGroup command or you can manually edit the file by adding the groups element for every IBM WebSphere Application Server 5.1.1 role.

Before You Begin

Regardless of the method you use to edit the file, first create a backup file.

Edit the file with the method of your choice as follows:
- (Option 1) Issue the appropriate type of command depending on the Access Manager version as follows:
  Access Manager 7 Command
```
agentadmin --setGroup administrator id=manager,ou=role,dc=iplanet,dc=com 
/opt/WebSphere/AppServer/config/cells/hostname/nodes/hostname
```
  Access Manager 6.3 Command
```
agentadmin --setGroup administrator cn=manager,dc=iplanet,dc=com 
/opt/WebSphere/AppServer/config/cells/hostname/nodes/hostname
```
  where hostname represents the host name of the machine on which the IBM WebSphere Application Server 5.1.1 instance is installed.
  
  Execute the same command for any other IBM WebSphere Application Server 5.1.1 roles defined in admin-authz.xml, such as configurator, monitor, and operator.
  
  The --setGroup option of the agentadmin program is an option specifically available for IBM WebSphere Application Server. The format of the agentadmin command using the --setGroup option is as follows:
```
agentadmin --setGroup WebSphere-rolename AccessManager-groupname admin-authz.xml-directory
```
  Note –
  The --setGroup option has a counterpart named --removeGroup, which can be used to remove an Access Manager group name. The following command example illustrates the format of the agentadmin --removeGroup command:
```
agentadmin --removeGroup WebSphere-rolename AccessManager-groupname admin-authz.xml-directory
```
  You could use the --removeGroup option during the uninstallation of the agent. Using the --removeGroup option with the agentadmin program is one method available to you for restoring the admin-authz.xml file to its original state.
  
  As demonstrated in the preceding agentadmin command examples, the --setGroup option and the --removeGroup option both support the following arguments:
  
  WebSphere-rolename
  
  represents an IBM WebSphere Application Server 5.1.1 role name, such as administrator.
  
  AccessManager-groupname
  
  represents an Access Manager group name, such as id=manager,ou=role,dc=iplanet,dc=com for Access Manager 7 or cn=manager,dc=iplanet,dc=com for Access Manager 6.3.
  
  admin-authz.xml-directory
  
  represents the directory that contains the admin-authz.xml file.
  
  This option can be used to set the group name that is authorized to access the IBM WebSphere Application Server 5.1.1 Administration Console after the agent is installed. The option makes the change in the admin-authz.xml file. The IBM WebSphere Application Server 5.1.1 role name corresponds to any valid role name in the admin-authz.xml file found within the role element. The Access Manager group name corresponds to Access Manager roles, groups, filtered groups, and such.
  
  For Access Manager 7, the group name is the universal ID (UUID) of the corresponding Access Manager object. For Access Manager 6.3, the group name is the distinguished name (DN) of the user. In a federated environment the group name is the corresponding value of the session attribute that holds the group name. The last argument is the fully qualified path to the admin-authz.xml file used by the IBM WebSphere Application Server 5.1.1 Administration Console to authorize users. The admin-authz.xml file can be found in the following directory:
```
DeployContainer-base/config/cells/Cell-Name
```
  DeployContainer-base
  
  represents the directory within which the IBM WebSphere Application Server 5.1.1 instance was installed.
  
  Cell-Name
  
  represents the IBM WebSphere Application Server 5.1.1 cell protected by the agent.
  
  This directory contains the server instances protected by the agent. The option does not check the validity of the Access Manager group name.
- (Option 2) Edit the admin-authz.xml file by adding the groups element for every IBM WebSphere Application Server 5.1.1 role.
  
  See Option 1 for information about the Access Manager group name and about the full path to the admin-authz.xml file.
  
  The following snippets of code show how the changed elements in this file might look depending upon the Access Manager version:
  Code Snippet for Access Manager 7
```
<authorizations xmi:id="RoleAssignmentExt_2" role="SecurityRoleExt_2">
<groups xmi:id="GroupExt_1070109200"  name="id=manager,ou=role,dc=iplanet,dc=com"/>
</authorizations>
```
  Code Snippet for Access Manager 6.3
```
<authorizations xmi:id="RoleAssignmentExt_2" role="SecurityRoleExt_2">
<groups xmi:id="GroupExt_1070109200"  name="cn=manager,dc=iplanet,dc=com"/>
</authorizations>
```
  Note –
  The value assigned to xmi:id must be unique. Make similar changes for any other IBM WebSphere Application Server 5.1.1 role, such as configurator, monitor, and operator.

Stop the IBM WebSphere Application Server 5.1.1 instance.