![]() ![]() ![]() ![]() ![]() ![]() ![]() |
AquaLogic Enterprise Security includes a number of helpful administrative utilities. This section provides a reference to the following utilities:
In the syntax descriptions for these utilities:
This is the Policy Import tool, which you can use to import your policy files. Normally all the tool needs is a path to a valid policy loader configuration file. All the settings are listed in that file. You can use additional command line arguments to override the settings listed in the configuration file.
If you import a file that uses multi-byte characters, the file must be UTF-8 encoded.
As of AquaLogic Enterprise Security version 2.5, policy loading is now transactional: all policies are loaded, or none. In addition, the BLMContextManager API has been updated to include transactional methods.
For information about creating a policy loader configuration file, see Sample Configuration File in the Policy Managers Guide. For more information about running the Policy Import tool, see Running the Policy Import Tool and Understanding How the Policy Loader Works in the Policy Managers Guide.
ALES_ADMIN_HOME
\bin\policyloader.bat <configuration_file> [-initial|-recover] [-load|-remove] [-help|-?|-usage]
ALES_ADMIN_HOME
/bin/policyloader.sh <configuration_file> [-initial|-recover] [-load|-remove] [-help|-?|-usage]
The following options are supported:
>policyloader.bat MyAppPolicy.conf
Loads the admin policy. This tool does not take any arguments. It needs to be run only once per Administration Server installation. It needs to run after the database schema has been loaded. Once this is tool is run, it will set the correct policy that will allow the system
user to access the Administration Console.
ALES_ADMIN_HOME
\bin\load_adminpolicy.bat
>load_adminpolicy.bat
The Policy Propagation Import/Export tool. You can use this tool to propagate your policy from one environment to another, and to export SSM configuration data for use when an SCM is not associated with the SSM. An example would be moving policy from a development installation to a QA installation, or from a staging installation to a production deployment.
If you import a file that uses multi-byte characters, the file must be UTF-8 encoded.
To use the policyIX tool to export policy, pass it an XML configuration file that basically specifies the top level resource node you want to export. The tool determines all the related policy elements that are related to that resource and its leaf nodes. When you import the exported file in another environment, the policyIX tool creates a replica of the original resource tree with accompanying policy.
The PolicyIX tool allows you to export configuration data (configured either through the ALES Administration Console, or directly via the BLM API) for a given SSM to an XML file, and use it with the configured SSMs when the SCM is not available.
To use the tool to export SSM configuration data, pass it the SSM configuration ID to export, the exportConfig parameter, the config.xml file and, optionally, the name of the exported XML file.
PolicyIX uses the existing settings for the SSL infrastructure, specified during the Administration server installation, to sign the exported configuration files. Specifically, the PolicyIX.bat
file invokes the tool with -Dales.policyTool.signer=wles-admin
. The ales.policyTool.signer
property is a required Java property that specifies the alias of the signing key in the identity keystore, which must be equal to the Administration server machine name.
The public key of the Administration server is then retrieved from the SSL peer keystore for the purpose of validating the configuration file's signature. This public key is available from the Administration server's certificate, which was added to the SSL peer keystore during the enrollment process.
The unencoded signature of the XML file is stored in a corresponding signature file, whose name is derived from the full name of the signed XML file (including extension) with the added ".sig" extension. For example, myconfig.xml.sig
.
After you export the configuration data, you must manually copy the XML configuration file and signature file to the SSM configuration directory, BEA_HOME
/ales25-ssm/
<ssm-type>
/
instance-name
/config.
If you do not use the default name (wles.securityrealm.xml
) for this configuration file, set the wles.realm.filename
property in the BEA_HOME
/ales25-ssm/
<ssm-type>
/
instance-name
/config
/security.properties
file. See
Installing an SSM Without an Associated SCM in
Installing Security Service Modules for additional information about the security.properties
file.
ALES_ADMIN_HOME
\bin\policyIX.bat <-import|-export> <config.xml> <policy.xml> [-passwdPrompt]
ALES_ADMIN_HOME
\bin\policyIX.bat <exportID> <-exportConfig> <config.xml> [exportName] [-passwdPrompt]
ALES_ADMIN_HOME
/bin/policyIX.sh <-import|-export> <config.xml> <policy.xml> [-passwdPrompt]
ALES_ADMIN_HOME
/bin/policyIX.sh <exportID> <-exportConfig> <config.xml> [exportName][-passwdPrompt]
wles.securityrealm.xml
is used by default. If -exportConfig is specified exportName is optional, but must be in the forth position if present.
wles.securityrealm.xml
. If you do not use the default name, set the wles.realm.filename
property in the security.properties
file.
ALES_ADMIN_HOME/config/policyIX_config.xml
. See the comments in the sample policyIX_config.xml
file for information about the values to include in your configuration file.
>policyIX.bat -export MyServer1ExportConfig.xml MyPolicy.xml
To export an SSM configuration:
>policyIX.bat exportID -exportConfig MyServer1ExportConfig.xml MySSM.xml
>policyIX.bat -import MyServer2ImportConfig.xml MyPolicy.xml
Export ALES policy data from a database server to a directory in policyloader format. The tool requires an empty directory into which it will export the files and that directory must exist before running the tool. Any existing policy files in that directory will replaced or deleted. On UNIX, the program will prompt for each input, and then user can input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin
before running the tool.
ALES_ADMIN_HOME
\bin\policyexporter.bat [directory]
ALES_ADMIN_HOME
/bin/policyexporter.sh
>policyexporter.bat c:\MyPolicy
Installs the ALES policy database schema into the database server. If the schema already exists, it will be replaced, including existing policy. On UNIX, the program prompts you to input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin
before running the tool.
ALES_ADMIN_HOME
\bin\install_ales_schema.bat <db-username> <db-password>
ALES_ADMIN_HOME
/bin/install_ales_schema.sh
>install_ales_schema.bat username password
A secure password utility tool. Encrypts the password with the key and saves it using based64 encoding into the password file with corresponding alias. You can use this tool to store or update the password for the system
user or the database user. The ASIAuthorizer and BLM both look into the password.xml
for the correct password to connect to the ALES database.
ALES_ADMIN_HOME
\bin\asipassword.bat <alias> [passwordFilename] [keyFilename]
ALES_ADMIN_HOME
/bin/asipassword.sh <alias> [passwordFilename] [keyFilename]
ssl/password.xml
, is used if you do not supply a different value for this option.
ssl/password.key
, is used if you do not supply a different value for this option.
cd ssl
../bin/asipassword.bat wles
Sends an action command to the server via a Web Service interface.
ALES_ADMIN_HOME
\bin\asisignal.bat -url server_url [-action ping|comtest|wait|waitready|status] [-msg msg_to_log] [-reps 1] [-interval 1000] [-?] [-dbg]
ALES_ADMIN_HOME
/bin/asisignal.sh -url server_url [-action ping|comtest|wait|waitready|status] [-msg msg_to_log] [-reps 1] [-interval 1000] [-?] [-dbg]
-reps
option, sends ping until the server replies or the number of pings specified by the -reps
option has been sent.
wait
, but waits for the server to reach READY status, not just to respond to the SOAP communication.
/ManagedServer
. For example, https://host:7011/ManagedServer
.
Ping the BLM Server running on the default port:
>asisignal.bat -action ping -url https://host:7011/ManagedServer
A utility to translate policy rules from the ALES ASIAuthorizer format to XACML. It reads ALES policies from an input file in policyloader format, translates ALES rules to XACML, and stores the XACML rules to an output file.
ALES_ADMIN_HOME
\bin\policy2XACML.bat [-in filename] [-out filename] [-?]
ALES_ADMIN_HOME
/bin/policy2XACML.sh [-in filename] [-out filename] [-?]
>policy2XACML.bat -in rule -out rule.xacml
Enrolls an SCM instance by acquiring security certificates from the associated ALES Administration Server. The enrollment is required to configure one-way or two-ways SSL communication (see Configuring SSL for Production Environments in the Administration and Deployment Guide for more information). Before enrolling an SCM instance, make sure that the ALES Administration Server is running.
ALES_SCM_HOME\bin\enrolltool.bat <demo|secure>
ALES_SCM_HOME/bin/enrolltool.sh <demo|secure>
DemoTrust.jks
key store in directory ALES_SCM_HOME/ssl
. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.
trust.jks
key store in directory ALES_SCM_HOME/ssl
. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.
When the tool is started, it displays the following menu options.
Below you will find the explanations for each option.
>enrolltool demo
Enrolls an SSM instance by acquiring security certificates from the associated Administration Server. The enrollment is required to configure one-way or two-ways SSL communication (see Configuring SSL for Production Environments for more information). Before enrolling an SSM instance, make sure that the ALES Administration Server is running.
During the enrollment process, you will be asked for the administrator's username and password to connect to the ALES Administration Server. If the SSM is enrolled the first time, you will be asked to enter passwords for the SSM certificate private key and for key stores being generated by the tool.
SSM_INSTANCE_HOME\adm\enroll.bat <demo|secure>
SSM_INSTANCE_HOME/adm/enroll.sh <demo|secure>
DemoTrust.jks
key store in directory SSM_INSTANCE_HOME/ssl
. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.
cacerts
in directory BEA_HOME/jdk142_08/jre/lib/security
. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.
>enroll demo
Un-enrolls an SSM instance. As the result of the un-enrollment, the SSM identity certificate will be removed from the trusted-peer key stores of servers the SSM communicates to. Before un-enrolling an SSM instance, make sure that the ALES Administration Server is running.
During the un-enrollment process, you will be asked for the administrator's username and password to connect to the ALES administration server.
SSM_INSTANCE_HOME\adm\unenroll.bat <demo|secure>
SSM_INSTANCE_HOME/adm/unenroll.sh <demo|secure>
DemoTrust.jks
key store in directory SSM_INSTANCE_HOME/ssl
. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.
cacerts
in directory BEA_HOME/jdk142_08/jre/lib/security
. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.
>unenroll demo
![]() ![]() ![]() |