> Administration Reference > Administrative Utilities

Administration Reference

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Administrative Utilities

AquaLogic Enterprise Security includes a number of helpful administrative utilities. This section provides a reference to the following utilities:

In the syntax descriptions for these utilities:

 

bootloader

Loads a boot policy for the default set of providers for the ALES Administration SSM. This bootloader is a privileged loader that only loads the initial boot policy so that the providers required for the Administration Server are configured to their initial settings. Once this boot policy has been set, then the regular policyloader can be used to load the admin policy. The policyloader requires authentication and authorization to run.

The only input to the boot loader is a Java properties file, [asi.properties]. The ALES_ADMIN_HOME/config/asi.properties file will be used if no filename is provided on the command line.

Usage 

ALES_ADMIN_HOME\bin\bootloader.bat [asi.properties] [-help] [-recover] [-recoverWithRecoveryAppParent]
ALES_ADMIN_HOME/bin/bootloader.sh [asi.properties] [-help] [-recover] [-recoverWithRecoveryAppParent]

Options

The following options are supported:

-help

Print USAGE: bootLoader [asi.properties] [-help] [-recover] [-recoverWithRecoveryAppParent] and exit.

-recover

Run in Recover mode. In this mode, the bootloader tool will delete the existing admin provider configuration and install the initial boot configuration. This option should be used only if you want to get back to the original default settings for the providers used by the admin configuration. This will not affect any policy or any other SSM configurations other then the asiadmin SSM configuration.

-recoverWithRecoveryAppParent

Run in Recover mode with Recovery App Parent. In this mode, the bootloader tool will delete the existing admin provider configuration and install the initial boot configuration. This option needs to be used in conjunction with the BLM also running with the configuration property BLM.wlesadmin.adminPolicyRoot pointing to //app/policy/ASI/recovery. To use this mode, you must edit the ALES_ADMIN_HOME/config/WLESblm.conf file and restart the BLM server before running the bootloader utility in this mode.This is needed in the rare case that the asiadmin SSM configuration has been updated in a way that prevents access to the ALES Administration Console and you have locked the system user from making changes to the regular admin policy.

Example 

>bootloader.bat -recover

 

policyloader

This is the Policy Import tool, which you can use to import your policy files. Normally all the tool needs is a path to a valid policy loader configuration file. All the settings are listed in that file. You can use additional command line arguments to override the settings listed in the configuration file.

For information about creating a policy loader configuration file, see Sample Configuration File in the Policy Managers Guide. For more information about running the Policy Import tool, see Running the Policy Import Tool and Understanding How the Policy Loader Works in the Policy Managers Guide.

Usage 

ALES_ADMIN_HOME\bin\policyloader.bat <configuration_file> [-initial|-recover] [-load|-remove] [-help|-?|-usage]
ALES_ADMIN_HOME/bin/policyloader.sh <configuration_file> [-initial|-recover] [-load|-remove] [-help|-?|-usage]

Options

The following options are supported:

-help|-?|-usage

Print USAGE and exit.

-initial

Run in initial mode. There should be no versioned files in the policy directory in this mode.

-recover

Run in recover mode to revert to an earlier policy set. There should be checkpoint files (generated automatically during a previous load) in the policy directory in this mode.

-load

Run in policy load mode (default). Load policy from the files specified in the configuration file.

-remove

Run in policy remove mode. Remove the policies described in the files specified in the configuration file

Example 

>policyloader.bat MyAppPolicy.conf

 

load_adminpolicy

Loads the admin policy. This tool does not take any arguments. It needs to be run only once per Administration Server installation. It needs to run after the database schema has been loaded and the bootloader has been run. Once this is tool is run, it will set the correct policy that will allow the system user to access the Administration Console.

Usage 

ALES_ADMIN_HOME\bin\load_adminpolicy.bat

Example 

>load_adminpolicy.bat

 

policyIX

The Policy Propagation Import/Export tool. You can use this tool to propagate your policy from one environment to another. An example would be moving policy from a development installation to a QA installation, or from a staging installation to a production deployment. To use the policyIX tool to export policy, pass it an XML configuration file that basically specifies the top level resource node you want to export. The tool determines all the related policy elements that are related to that resource and its leaf nodes. When you import the exported file in another environment, the policyIX tool creates a replica of the original resource tree with accompanying policy.

Usage 

ALES_ADMIN_HOME\bin\policyIX.bat <-import|-export> <config.xml> <policy.xml> [-passwdPrompt]
ALES_ADMIN_HOME/bin/policyIX.sh <-import|-export> <config.xml> <policy.xml> [-passwdPrompt]

Options

-import

Run the tool in policy import mode.

-export

Run the tool in policy export mode.

config.xml

This configuration file contains BLM configuration and import or export configuration detail. If you run policyIX in import mode, then the configuration file may also contain policy data to be imported. A sample policyIX configuration file can be found at ALES_ADMIN_HOME/config/policyIX_config.xml. See the comments in the sample policyIX_config.xml file for information about the values to include in your configuration file.

policy.xml

If you run policyIX in export mode, then policy data will be exported into this file. If you run policyIX in import mode and the XML configuration file does not contain policy data, then this file will contain policy configuration and data to be imported.

-passwdPrompt

If you use this option, the admin password will be read from command line.

Example

To export a policy: 

>policyIX.bat -export MyServer1ExportConfig.xml MyPolicy.xml

To import a policy: 

>policyIX.bat -import MyServer2ImportConfig.xml MyPolicy.xml

 

export_policy_oracle

Export ALES policy data from an Oracle database server to a directory in policyloader format. The tool requires an empty directory into which it will export the files and that directory must exist before running the tool. Any existing policy files in that directory will replaced or deleted. On UNIX, the program will prompt for each input, and then user can input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin before running the tool.

The ORACLE_HOME environment variable must be set to the Oracle Client directory. Also make sure your PATH environment variable includes the current directory and the /bin directory of the Oracle client. On UNIX, make sure that LD_LIBRARY_PATH is also set correctly.

Usage 

ALES_ADMIN_HOME\bin\export_policy_oracle.bat <server> <owner> <dblogin> <password> [directory]
ALES_ADMIN_HOME/bin/export_policy_oracle.sh

Options

server

Oracle database server name

owner

Owner of the policy

dblogin

Login id, usually same as owner

password

Password for the owner

directory

Directory path to which the files will be exported. Use . to export to the current directory.

Example 

>export_policy_oracle.bat DBSERVER wles wles password c:\MyPolicy

 

export_policy_sybase

Exports ALES policy data from Sybase database server to a directory in policyloader format. The tool requires an empty directory into which it will export the files and that directory must exist before running the tool. Any existing policy files in that directory will replaced or deleted. On UNIX, the program will prompt for each input, and then user can input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin before running the tool.

The SYBASE environment variable must be set. The SYBASE_OCS environment variable must be set for the Sybase 12 open client. Also make sure your PATH environment variable includes the current directory and the \bin and \dll subdirectories of the Sybase open client. On UNIX, make sure that LD_LIBRARY_PATH is also set correctly.

Usage 

ALES_ADMIN_HOME\bin\export_policy_sybase.bat <server> <database> <owner> <login> <password> [directory]
ALES_ADMIN_HOME/bin/export_policy_sybase.sh

Options

server

Sybase database server name

database

Database name

owner

Owner of the policy

dblogin

Login id, usually same as owner

password

Password for the owner

directory

Directory path to which the files will be exported. Use . to export to the current directory.

Example

>export_policy_sybase.bat DBSERVER sspolicy wles wles password c:\MyPolicy

 

install_schema_oracle

Installs the ALES policy database schema into an Oracle database server. If the schema already exists, it will be replaced, including existing policy. On UNIX, the program prompts you to input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin before running the tool.

The ORACLE_HOME environment variable must be set to the Oracle Client directory. Also make sure your PATH environment variable includes the current directory and the /bin directory of the Oracle client. On UNIX, make sure that LD_LIBRARY_PATH is also set correctly.

Usage 

ALES_ADMIN_HOME\bin\install_schema_oracle.bat [-s] dbserver dblogin dbpassword enterprise_domain [policyowner]
ALES_ADMIN_HOME/bin/install_schema_oracle.sh

Options

server

Oracle database server name

dblogin

Login ID, usually same as owner

password

Password for the dblogin user

enterprise_domain

ALES enterprise domain name. Default is asi.

policyowner

(Optional) Owner of the policy. Defaults to dblogin it if not provided

-s

Silent mode. Install with no confirmation screen.

Example 

>install_schema_oracle.bat DBSERVER wles password asi

 

install_schema_sybase

Installs the ALES policy database schema into a Sybase database server. If the schema already exists, it will be replaced, including existing policy. On UNIX, the program prompts you to input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin before running the tool.

The SYBASE environment variable must be set. The SYBASE_OCS environment variable must be set for the Sybase 12 open client. Also make sure your PATH environment variable includes the current directory and the \bin and \dll subdirectories of the Sybase open client. On UNIX, make sure that LD_LIBRARY_PATH is also set correctly.

Usage 

ALES_ADMIN_HOME\bin\install_schema_sybase.bat [-s] <server> <database> <dblogin> <dbpassword> <enterprise_domain> [policyowner]
ALES_ADMIN_HOME/bin/install_schema_sybase.sh

Options

dbserver

Sybase database server name

database

Policy database name

dblogin

Login ID, usually same as owner

password

Password for the dblogin user

enterprise_domain

ALES enterprise domain name. Default is asi.

policyowner

(Optional) Owner of the policy. Defaults to dblogin it if not provided

-s

Silent mode. Install with no confirmation screen.

Example 

>install_schema_sybase.bat GODZILLA sspolicy wles password asi

 

asipassword

A secure password utility tool. Encrypts the password with the key and saves it using based64 encoding into the password file with corresponding alias. You can use this tool to store or update the password for the system user or the database user. The ARME and BLM process both look into the password.xml for the correct password to connect to the ALES database.

If you enable the metadirectory for the ASI Authorization Provider, then remember to set the password for the SSM instance using this tool before restarting the ARME process.

Usage 

ALES_ADMIN_HOME\bin\asipassword.bat <alias> [passwordFilename] [keyFilename]
ALES_ADMIN_HOME/bin/asipassword.sh <alias> [passwordFilename] [keyFilename]

Options

alias

The alias for the password, often the username.

passwordFileName

The filename for the xml password file. The default, ssl/password.xml, is used if you do not supply a different value for this option.

keyFileName

The filename for the password key file. The default, ssl/password.key, is used if you do not supply a different value for this option.

Example 

cd ssl
../bin/asipassword.bat wles

 

asisignal

Sends an action command to the server via a Web Service interface.

Usage 

ALES_ADMIN_HOME\bin\asisignal.bat -url server_url [-action ping|comtest|restart|shutdown|log|wait|waitready|status] [-msg msg_to_log] [-reps 1] [-interval 1000] [-?] [-dbg]
ALES_ADMIN_HOME/bin/asisignal.sh  -url server_url [-action ping|comtest|restart|shutdown|log|wait|waitready|status] [-msg msg_to_log] [-reps 1] [-interval 1000] [-?] [-dbg]

Options

-action ping, comtest

Send a simple SOAP call to the server, and see if server returns a valid SOAP result.

-action restart

Restart the server.

-action shutdown

Shut down the server.

-action log

Send a message for server to log. The text of the message is specified by the -msg option.

-action status

Get the server status. Could be INITING or READY.

-action wait

Continuously ping the server until the server replies. If you use this option together with the -reps option, sends ping until the server replies or the number of pings specified by the -reps option has been sent.

-action waitready

Like wait, but waits for the server to reach READY status, not just to respond to the SOAP communication.

-url

The Managed Server SOAP service URL (endpoint), usually ends with /ManagedServer. For example, https://host:7011/ManagedServer .

-msg

The message used by the log action to send to the server.

-reps

Repeat count. Used with the -wait and -waitready actions.

-interval

Sleep interval between each action, in milliseconds. Default is 1000 msecs (1s).

-?

Print a help message.

-dbg

Turn on debug for this utility.

Example

Ping the BLM Server running on the default port: 

>asisignal.bat -action ping -url https://host:7011/ManagedServer

 

policy2XACML

A utility to translate policy rules from the ALES ARME format to XACML. It reads ALES policies from an input file in policyloader format, translates ALES rules to XACML, and stores the XACML rules to an output file.

Usage 

ALES_ADMIN_HOME\bin\policy2XACML.bat [-in filename] [-out filename] [-?]
ALES_ADMIN_HOME/bin/policy2XACML.sh [-in filename] [-out filename] [-?]

Options

-in

The input policy file name. If no input file is provided, read standard input, until EOF is detected.

-out

The output policy file name. If no output file is provided, print to standard output.

Example 

>policy2XACML.bat -in rule -out rule.xacml

 

lockdown

Lock down an Administration Server, SCM, or SSM instance with permissions for certain users and groups. It sets the directory permissions based upon the users and groups entered during install. These users and groups are used so that adequate file system security can be enforced for the ALES installation.

Usage 

ALES_ADMIN_HOME\bin\lockdown.bat
ALES_ADMIN_HOME/bin/lockdown.sh
ALES_SCM_HOME\bin\lockdown.bat
ALES_SCM_HOME/bin/lockdown.sh
ALES_SSM_INSTANCE\adm\lockdown.bat
ALES_SSM_INSTANCE/adm/lockdown.sh

When files are changed by users other than asiadmin/scmuser, such as root, you should run this tool to change the file owner and groups to the users and group names selected during install (user asiadmin/scmuser and groups asiadgrp/asiusers). These file permissions need to be updated when you apply a cumulative patch to an existing ALES installation as root.

Example 

>lockdown.bat

 

enrolltool

Enrolls an SCM instance by acquiring security certificates from the associated ALES Administration Server. The enrollment is required to configure one-way or two-ways SSL communication (see Configuring SSL for Production Environments in the Administration and Deployment Guide for more information). Before enrolling an SCM instance, make sure that the ALES Administration Server is running.

Usage 

ALES_SCM_HOME\bin\enrolltool.bat <demo|secure>
ALES_SCM_HOME/bin/enrolltool.sh <demo|secure>

Options

demo

Enrolls the SCM instance and verifies the Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store in directory ALES_SCM_HOME/ssl. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.

secure

Enrolls the SCM instance and verifies the Administration Server certificate using a CA certificate from the trust.jks key store in directory ALES_SCM_HOME/ssl. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.

Menu Options

When the tool is started, it displays the following menu options.

  1. Show Enrolled Domains
  2. Show Un-enrolled Domains
  3. Register Domain
  4. Unregister Domain
  5. Enroll
  6. Un-enroll
  7. Exit

Below you will find the explanations for each option.

  1. Show Enrolled Domains shows the list of all enrolled security domains including the following information for each of the domains:
    • URLs of primary and secondary policy distributors (BLM),
    • public and private ports of the SCM instance, and
    • the name of the SCM instance.
  2. Show Un-enrolled Domains shows the list of all un-enrolled domains including the following information for each of the domains:
    • URLs of primary and secondary policy distributors (BLM),
    • public and private ports of the SCM instance, and
    • the name of the SCM instance.
  3. Register Domain registers a new enterprise security domain. You must enter the following data about the domain:
    • the domain name,
    • the URLs of the primary and secondary Administration Severs,
    • listening port number and
    • name of the SCM instance.

      • The new data is stored in the ALES_SCM_HOME\config\SCM.properties file. Initially, the new domain is un-enrolled. You must enroll it by selecting Option 1 of the menu.

  4. Unregister Domain unregisters an enterprise security domain. The domain must be un-enrolled before it can be unregistered. You can un-enroll a domain by selecting Option 6 of the menu.
  5. Enroll enrolls the SCM instance associated with the chosen security domain. You will be asked for the administrator's username and password to access the administration server. If the SCM is enrolled the first time, you will be asked to enter passwords for the SCM certificate private key and for key stores being generated by the tool.
  6. Un-enroll un-enrolls the SCM instance associated with the chosen security domain. You will be asked for the administrator's username and password to access the administration server.

Example 

>enrolltool demo

 

enroll

Enrolls an SSM instance by acquiring security certificates from the associated Administration Server. The enrollment is required to configure one-way or two-ways SSL communication (see Configuring SSL for Production Environments for more information). Before enrolling an SSM instance, make sure that the ALES Administration Server is running.

During the enrollment process, you will be asked for the administrator's username and password to connect to the ALES Administration Server. If the SSM is enrolled the first time, you will be asked to enter passwords for the SSM certificate private key and for key stores being generated by the tool.

Usage 

SSM_INSTANCE_HOME\adm\enroll.bat <demo|secure>
SSM_INSTANCE_HOME/adm/enroll.sh <demo|secure>

Options

demo

Enrolls the SSM instance and verifies Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store in directory SSM_INSTANCE_HOME/ssl. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.

secure

Enrolls the SSM instance and verifies the Administration Server certificate using trusted CA certificates from the file cacerts in directory BEA_HOME/jdk142_08/jre/lib/security. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.

Example 

>enroll demo

 

unenroll

Un-enrolls an SSM instance. As the result of the un-enrollment, the SSM identity certificate will be removed from the trusted-peer key stores of servers the SSM communicates to. Before un-enrolling an SSM instance, make sure that the ALES Administration Server is running.

During the un-enrollment process, you will be asked for the administrator's username and password to connect to the ALES administration server.

Usage 

SSM_INSTANCE_HOME\adm\unenroll.bat <demo|secure>
SSM_INSTANCE_HOME/adm/unenroll.sh <demo|secure>

Options

demo

Un-enrolls the SSM instance and verifies the Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store in directory SSM_INSTANCE_HOME/ssl. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.

secure

Un-enrolls the SSM instance and verifies the Administration Server certificate using trusted CA certificates from the file cacerts in directory BEA_HOME/jdk142_08/jre/lib/security. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.

Example 

>unenroll demo

  Back to Top       Previous  Next