> Administration Reference > Administrative Utilities

Administration Reference

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Administrative Utilities

AquaLogic Enterprise Security includes a number of helpful administrative utilities. This section provides a reference to the following utilities:

In the syntax descriptions for these utilities:

 

policyloader

This is the Policy Import tool, which you can use to import your policy files. Normally all the tool needs is a path to a valid policy loader configuration file. All the settings are listed in that file. You can use additional command line arguments to override the settings listed in the configuration file.

If you import a file that uses multi-byte characters, the file must be UTF-8 encoded.

As of AquaLogic Enterprise Security version 2.5, policy loading is now transactional: all policies are loaded, or none. In addition, the BLMContextManager API has been updated to include transactional methods.

For information about creating a policy loader configuration file, see Sample Configuration File in the Policy Managers Guide. For more information about running the Policy Import tool, see Running the Policy Import Tool and Understanding How the Policy Loader Works in the Policy Managers Guide.

Usage 

ALES_ADMIN_HOME\bin\policyloader.bat <configuration_file> [-initial|-recover] [-load|-remove] [-help|-?|-usage]
ALES_ADMIN_HOME/bin/policyloader.sh <configuration_file> [-initial|-recover] [-load|-remove] [-help|-?|-usage]

Options

The following options are supported:

-help|-?|-usage

Print USAGE and exit.

-initial

Run in initial mode. There should be no versioned files in the policy directory in this mode.

-recover

Run in recover mode to revert to an earlier policy set. There should be checkpoint files (generated automatically during a previous load) in the policy directory in this mode.

-load

Run in policy load mode (default). Load policy from the files specified in the configuration file.

-remove

Run in policy remove mode. Remove the policies described in the files specified in the configuration file

Example 

>policyloader.bat MyAppPolicy.conf

 

load_adminpolicy

Loads the admin policy. This tool does not take any arguments. It needs to be run only once per Administration Server installation. It needs to run after the database schema has been loaded. Once this is tool is run, it will set the correct policy that will allow the system user to access the Administration Console.

Usage 

ALES_ADMIN_HOME\bin\load_adminpolicy.bat

Example 

>load_adminpolicy.bat

 

policyIX

The Policy Propagation Import/Export tool. You can use this tool to propagate your policy from one environment to another, and to export SSM configuration data for use when an SCM is not associated with the SSM. An example would be moving policy from a development installation to a QA installation, or from a staging installation to a production deployment.

If you import a file that uses multi-byte characters, the file must be UTF-8 encoded.

Exporting Policy

To use the policyIX tool to export policy, pass it an XML configuration file that basically specifies the top level resource node you want to export. The tool determines all the related policy elements that are related to that resource and its leaf nodes. When you import the exported file in another environment, the policyIX tool creates a replica of the original resource tree with accompanying policy.

Exporting Configuration Data

The PolicyIX tool allows you to export configuration data (configured either through the ALES Administration Console, or directly via the BLM API) for a given SSM to an XML file, and use it with the configured SSMs when the SCM is not available.

To use the tool to export SSM configuration data, pass it the SSM configuration ID to export, the exportConfig parameter, the config.xml file and, optionally, the name of the exported XML file.

PolicyIX uses the existing settings for the SSL infrastructure, specified during the Administration server installation, to sign the exported configuration files. Specifically, the PolicyIX.bat file invokes the tool with -Dales.policyTool.signer=wles-admin. The ales.policyTool.signer property is a required Java property that specifies the alias of the signing key in the identity keystore, which must be equal to the Administration server machine name.

The public key of the Administration server is then retrieved from the SSL peer keystore for the purpose of validating the configuration file's signature. This public key is available from the Administration server's certificate, which was added to the SSL peer keystore during the enrollment process.

The unencoded signature of the XML file is stored in a corresponding signature file, whose name is derived from the full name of the signed XML file (including extension) with the added ".sig" extension. For example, myconfig.xml.sig.

After you export the configuration data, you must manually copy the XML configuration file and signature file to the SSM configuration directory, BEA_HOME/ales25-ssm/<ssm-type>/instance-name/config.

If you do not use the default name (wles.securityrealm.xml) for this configuration file, set the wles.realm.filename property in the BEA_HOME/ales25-ssm/<ssm-type>/instance-name/config/security.properties file. See Installing an SSM Without an Associated SCM in Installing Security Service Modules for additional information about the security.properties file.

Usage 

ALES_ADMIN_HOME\bin\policyIX.bat <-import|-export> <config.xml> <policy.xml> [-passwdPrompt]
ALES_ADMIN_HOME\bin\policyIX.bat <exportID> <-exportConfig> <config.xml> [exportName] [-passwdPrompt]
ALES_ADMIN_HOME/bin/policyIX.sh <-import|-export> <config.xml> <policy.xml> [-passwdPrompt]
ALES_ADMIN_HOME/bin/policyIX.sh <exportID> <-exportConfig> <config.xml> [exportName][-passwdPrompt]

Options

-import

Run the tool in policy import mode.

-export

Run the tool in policy export mode.

exportID

Command line parameter that specifies the SSM configuration ID to export. This entry must match the SSM configuration ID that is specified when the SSM instance was created on the server machine. The configuration ID is the means by which the SSM receives it configuration. If -exportConfig is specified, the exportID is required and must be in the first position.

-exportConfig

Command line parameter that instructs PolicyIX to export the SSM configuration. If -exportConfig is specified it must be in the second position.

exportName

Command line parameter that specifies the name of the exported XML file. If it is not provided, wles.securityrealm.xml is used by default. If -exportConfig is specified exportName is optional, but must be in the forth position if present.
The default name for this configuration file is wles.securityrealm.xml. If you do not use the default name, set the wles.realm.filename property in the security.properties file.

config.xml

This configuration file contains BLM configuration and import or export configuration detail. If you run policyIX in import mode, then the configuration file may also contain policy data to be imported. A sample policyIX configuration file can be found at ALES_ADMIN_HOME/config/policyIX_config.xml. See the comments in the sample policyIX_config.xml file for information about the values to include in your configuration file.

policy.xml

If you run policyIX in export mode, then policy data will be exported into this file. If you run policyIX in import mode and the XML configuration file does not contain policy data, then this file will contain policy configuration and data to be imported.

-passwdPrompt

If you use this option, the admin password will be read from command line.

Example

To export a policy: 

>policyIX.bat -export MyServer1ExportConfig.xml MyPolicy.xml

To export an SSM configuration: 

>policyIX.bat exportID -exportConfig MyServer1ExportConfig.xml MySSM.xml

To import a policy: 

>policyIX.bat -import MyServer2ImportConfig.xml MyPolicy.xml

 

policyexporter

Export ALES policy data from a database server to a directory in policyloader format. The tool requires an empty directory into which it will export the files and that directory must exist before running the tool. Any existing policy files in that directory will replaced or deleted. On UNIX, the program will prompt for each input, and then user can input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin before running the tool.

Usage 

ALES_ADMIN_HOME\bin\policyexporter.bat [directory]
ALES_ADMIN_HOME/bin/policyexporter.sh

Options

directory

Directory path to which the files will be exported. Use to export to the current directory.

Example 

>policyexporter.bat c:\MyPolicy

 

install_ales_schema

Installs the ALES policy database schema into the database server. If the schema already exists, it will be replaced, including existing policy. On UNIX, the program prompts you to input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin before running the tool.

Usage 

ALES_ADMIN_HOME\bin\install_ales_schema.bat <db-username> <db-password> 
ALES_ADMIN_HOME/bin/install_ales_schema.sh

Options

db-username

Login ID, usually same as owner

db-password

Password for the db-username

Example 

>install_ales_schema.bat username password

 

asipassword

A secure password utility tool. Encrypts the password with the key and saves it using based64 encoding into the password file with corresponding alias. You can use this tool to store or update the password for the system user or the database user. The ASIAuthorizer and BLM both look into the password.xml for the correct password to connect to the ALES database.

Usage 

ALES_ADMIN_HOME\bin\asipassword.bat <alias> [passwordFilename] [keyFilename]
ALES_ADMIN_HOME/bin/asipassword.sh <alias> [passwordFilename] [keyFilename]

Options

alias

The alias for the password, often the username.

passwordFileName

The filename for the xml password file. The default, ssl/password.xml, is used if you do not supply a different value for this option.

keyFileName

The filename for the password key file. The default, ssl/password.key, is used if you do not supply a different value for this option.

Example 

cd ssl
../bin/asipassword.bat wles

 

asisignal

Sends an action command to the server via a Web Service interface.

Usage 

ALES_ADMIN_HOME\bin\asisignal.bat -url server_url [-action ping|comtest|wait|waitready|status] [-msg msg_to_log] [-reps 1] [-interval 1000] [-?] [-dbg]
ALES_ADMIN_HOME/bin/asisignal.sh  -url server_url [-action ping|comtest|wait|waitready|status] [-msg msg_to_log] [-reps 1] [-interval 1000] [-?] [-dbg]

Options

-action ping, comtest

Send a simple SOAP call to the server, and see if server returns a valid SOAP result.

-action status

Get the server status. Could be INITING or READY.

-action wait

Continuously ping the server until the server replies. If you use this option together with the -reps option, sends ping until the server replies or the number of pings specified by the -reps option has been sent.

-action waitready

Like wait, but waits for the server to reach READY status, not just to respond to the SOAP communication.

-url

The Managed Server SOAP service URL (endpoint), usually ends with /ManagedServer. For example, https://host:7011/ManagedServer.

-msg

The message used by the log action to send to the server.

-reps

Repeat count. Used with the -wait and -waitready actions.

-interval

Sleep interval between each action, in milliseconds. Default is 1000 msecs (1s).

-?

Print a help message.

-dbg

Turn on debug for this utility.

Example

Ping the BLM Server running on the default port: 

>asisignal.bat -action ping -url https://host:7011/ManagedServer

 

policy2XACML

A utility to translate policy rules from the ALES ASIAuthorizer format to XACML. It reads ALES policies from an input file in policyloader format, translates ALES rules to XACML, and stores the XACML rules to an output file.

Usage 

ALES_ADMIN_HOME\bin\policy2XACML.bat [-in filename] [-out filename] [-?]
ALES_ADMIN_HOME/bin/policy2XACML.sh [-in filename] [-out filename] [-?]

Options

-in

The input policy file name. If no input file is provided, read standard input, until EOF is detected.

-out

The output policy file name. If no output file is provided, print to standard output.

Example 

>policy2XACML.bat -in rule -out rule.xacml

 

enrolltool

Enrolls an SCM instance by acquiring security certificates from the associated ALES Administration Server. The enrollment is required to configure one-way or two-ways SSL communication (see Configuring SSL for Production Environments in the Administration and Deployment Guide for more information). Before enrolling an SCM instance, make sure that the ALES Administration Server is running.

Usage 

ALES_SCM_HOME\bin\enrolltool.bat <demo|secure>
ALES_SCM_HOME/bin/enrolltool.sh <demo|secure>

Options

demo

Enrolls the SCM instance and verifies the Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store in directory ALES_SCM_HOME/ssl. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.

secure

Enrolls the SCM instance and verifies the Administration Server certificate using a CA certificate from the trust.jks key store in directory ALES_SCM_HOME/ssl. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.

Menu Options

When the tool is started, it displays the following menu options.

  1. Show Enrolled Domains
  2. Show Un-enrolled Domains
  3. Register Domain
  4. Unregister Domain
  5. Enroll
  6. Un-enroll
  7. Exit

Below you will find the explanations for each option.

  1. Show Enrolled Domains shows the list of all enrolled security domains including the following information for each of the domains:
    • URLs of primary and secondary policy distributors (BLM),
    • public and private ports of the SCM instance, and
    • the name of the SCM instance.
  2. Show Un-enrolled Domains shows the list of all un-enrolled domains including the following information for each of the domains:
    • URLs of primary and secondary policy distributors (BLM),
    • public and private ports of the SCM instance, and
    • the name of the SCM instance.
  3. Register Domain registers a new enterprise security domain. You must enter the following data about the domain:
    • the domain name,
    • the URLs of the primary and secondary Administration Severs,
    • listening port number and
    • name of the SCM instance.

      • The new data is stored in the ALES_SCM_HOME\config\SCM.properties file. Initially, the new domain is un-enrolled. You must enroll it by selecting Option 1 of the menu.

  4. Unregister Domain unregisters an enterprise security domain. The domain must be un-enrolled before it can be unregistered. You can un-enroll a domain by selecting Option 6 of the menu.
  5. Enroll enrolls the SCM instance associated with the chosen security domain. You will be asked for the administrator's username and password to access the administration server. If the SCM is enrolled the first time, you will be asked to enter passwords for the SCM certificate private key and for key stores being generated by the tool.
  6. Un-enroll un-enrolls the SCM instance associated with the chosen security domain. You will be asked for the administrator's username and password to access the administration server.

Example 

>enrolltool demo

 

enroll

Enrolls an SSM instance by acquiring security certificates from the associated Administration Server. The enrollment is required to configure one-way or two-ways SSL communication (see Configuring SSL for Production Environments for more information). Before enrolling an SSM instance, make sure that the ALES Administration Server is running.

During the enrollment process, you will be asked for the administrator's username and password to connect to the ALES Administration Server. If the SSM is enrolled the first time, you will be asked to enter passwords for the SSM certificate private key and for key stores being generated by the tool.

Usage 

SSM_INSTANCE_HOME\adm\enroll.bat <demo|secure>
SSM_INSTANCE_HOME/adm/enroll.sh <demo|secure>

Options

demo

Enrolls the SSM instance and verifies Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store in directory SSM_INSTANCE_HOME/ssl. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.

secure

Enrolls the SSM instance and verifies the Administration Server certificate using trusted CA certificates from the file cacerts in directory BEA_HOME/jdk142_08/jre/lib/security. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.

Example 

>enroll demo

 

unenroll

Un-enrolls an SSM instance. As the result of the un-enrollment, the SSM identity certificate will be removed from the trusted-peer key stores of servers the SSM communicates to. Before un-enrolling an SSM instance, make sure that the ALES Administration Server is running.

During the un-enrollment process, you will be asked for the administrator's username and password to connect to the ALES administration server.

Usage 

SSM_INSTANCE_HOME\adm\unenroll.bat <demo|secure>
SSM_INSTANCE_HOME/adm/unenroll.sh <demo|secure>

Options

demo

Un-enrolls the SSM instance and verifies the Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store in directory SSM_INSTANCE_HOME/ssl. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.

secure

Un-enrolls the SSM instance and verifies the Administration Server certificate using trusted CA certificates from the file cacerts in directory BEA_HOME/jdk142_08/jre/lib/security. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.

Example 

>unenroll demo

  Back to Top       Previous  Next