what would be the best way to store IBM TAM connection parameters in JAVA? My application is built on JAVA spring and uses TAM for access management. Inorder to connect to IBM TAM i have a java file that gets value from property file which stores the following values application name, configuration url, registry suffix,tam admin username and tam admin paswword.I dont want to store all these values in java code or property file. Please suggest me whether i can store it in the web application server like storing connection strings.
You can use the server certificate within the configuration file. You will always need to specify the configuration file at minimum. It should look something like this:
Locale myLocale = new Locale("ENGLISH", "US");
PDContext myContext = new PDContext(myLocale, configFileURL);
You will need to create your configuration file using svrsslcfg:
java com.tivoli.pd.jcfg.SvrSslCfg -action config
-admin_id sec_master-admin_pwd secpw
-appsvr_id PDPermissionjapp -appsvr_pwd pw -host jsys.myco.com
-mode remote -port 999 -policysvr ampolicy.myco.com:7135:1
-authzsvr amazn.myco.com:7136:1 -cfg_file c:/am/config_file.conf
-key_file c:/am/keystore_file.ks -domain mydomain -cfg_action create
-certrefresh true
Typically in the environment I administer our developers use the PDContext method using the username+password+config file. We have never used the certificate method. I believe if you use the certificate method, the application would connect as the server's user account that is created when you use the svrsslcfg command. That account would need appropriate permissions within TAM to achieve what it needs to.
At the minimum, you will need to specify somewhere to store the configuration URL. I would strongly encourage you not to hard code the value as it limits the administrators that must maintain the application long term. You may also need a place to store the username+password if you decide that you need to connect as specific user and not the server's TAM user account.
Refer to this document for svrsslcfg options to create the configuration file: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_authJava_guide_pdf.pdf
Look at this reference guide for information on how to use PDContext:
https://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_AdminJava_guide_pdf.pdf
Related
We are currently set path of properties file which contains secret/access key for Credentials File for AWSCredentialsProviderControlerService . Issue, is we are changing properties path for prod and non prod each time we run nifi workflow. trying to come up no change on Configuration on Credential File path, so that access/secret key would be read regardless of prod and non prod. Since credential file wont support Nifi Expresion language, trying to make use of ACCESS KEY/SECRET properties ${ENV:equalsIgnoreCase("prod"):ifElse(${ACESS_PROD},${ACESS_NONPROD})} Issue we are facing, we are not able to store these access key/secret keys to the registry. Hence unable to implement this change. Is there any way to read access/secret key regardless of environment in Nifi. Curently we are using 1 property file for non prod nifi and 2nd property file for prod properties. In this set up, manually need to changed to credential file path when switching from prod to non prod. Trying to seamlessly work without changing path of credential file. Is there any way to make this happen?
enter image description here
The process that uses the AWSCredentialsProviderControlerService does not support param or variables, but the AWSCredentialsProviderControlerService "credential file" property supports "Parameters Context" as entries, make use of this for your solution.
Example:
Trigger something --> RouteOnAttribute --> If Prod (run executestreamcmd and change the Parameter Context Value to point to prod credfile) else if DEV(run executestreamcmd and change the Parameter Context Value to point to prod credfile) --> then run you AWS Processor.
You can use the toolkit client to edit the parameter context, or event nipyapi python module. It will not be fast tohu.
I'm working on a tool that generates .rdp files and then invokes them using Microsoft RDP Client. This tool is running on Mac OS.
Everything works well, the only problem is that I can't figure out of how I can generate 'password 51:b' field properly. On Windows this can be done easily by using CryptProtectData method from Crypt32.dll library. How can I do the same on Mac.
Another option could be to use "rdp://" URL scheme, but it doesn't seem allow to pass password this way.
So the question is how can I implement auto-login on Mac if I use third-party RDP client.
As far as i know you can't. You can however create a "User Account" and a Server configuration and add both to the client. The connection will then be visible on the main window and you just need to double click it.
To do so, you need to add the password to the Keychain, use /usr/bin/security to do so from a script. It needs to be a generic-password and saved in com.microsoft.rdc.macos. Also be sure to generate an ID according to the RDP Clients scheme, like BFF77777-7777-7777-7777-777777777777.
You may also set the permissions to read that key using /usr/bin/security and set-generic-password-partition-list specifying the right teamid (UBF8T346G9) and again com.microsoft.rdc.macos. You need the admin password to do this step.
Then you can alter the RDP Clients config file, which is a .sqlite file located at /Users/$(whoami)/Library/Containers/com.microsoft.rdc.macos/Data/Library/Application Support/com.microsoft.rdc.macos/com.microsoft.rdc.application-data.sqlite. Add the user configuration in the ZCREDENTIALENTITY table and make sure the ZID matches the one added to the keychain.
To add a server configuration you need to alter the ZBOOKMARKENTITY table. Just add a configuration by hand using the UI and look at the table to get a feeling of how it needs to be setup. Basically you link your user configuration with the server configuratio by making sure that ZCREDENTIAL in ZBOOKMARKENTITY matches Z_PK in ZCREDENTIALENTITY of your user configuration.
I know the answer is a bit late, but it may give you a starting point. This will however not fully automate the process, you will still need to go to the UI and double click the connection you want to use.
I am trying to create a liberty cluster. While generating the keys, liberty is creating some keys under logged-in user's home directory which is c:\users\xyz\ .ssh.
How do I say liberty to save the keys under d:\users\xyz\ .ssh?
I need this because, i am working in citrix environment and c drive image is always replaced upon restart and I am loosing the keys forcing me to create the cluster again or save a copy of the keys before I log out for day.
Did you try displaying options for registerHost action like this:
D:\Liberty\wlp\bin>collective.bat help registerHost
it shows rpcUserHome param, which might be what you are looking for:
--rpcUserHome=path
Optional. The home directory for the user with which to authenticate
to the RPC mechanism. Defaults to the current OS user home directory.
This value is used when generating SSH keys.
I have a little java program that reads a db2 table via jdbc. This program is invoked via "tso bpxbatch myjavatool".
I wonder if there is the possibility to "pass" the username/password of my TSO user to the JDBC driver?
For example, if I connect to DB2 with a simple REXX script I don't have to specify my username/password again and DB2/RACF checks if my user is allowed to execute the SQLs.
Now my java tool is not running in my TSO address space but under the control of the J9 in the USS address space...
Is there also a way to automatically log in to DB2 with the current TSO user?
I don't know too much about BPXBATCH, but I assume you are still running under your own userid in the USS-address-space.
In your java-code you should be able to get your userid via
String user = System.getProperty("user.name");
As for the password you could try using RACF-Passtickets instead. There is a library IRRRacf.jar in /user/include/java_classes and the corresponding javadoc in IRRRacfDoc.jar in the same directory. the code for generating the Passticket is rather simple:
IRRPassTicket generator = new IRRPassTicket();
String ptkt = generator.generate(user,applid);
then just pass the passticket instead of the password and you should be fine.
Alas, there's several aspects you have to make sure of before using this approach:
Set up RACF to use Passtickets for DB2 - it might already be configured, else you'll have to set up proper profiles in the PTKTDATA-class (See RACF-documentation for more details)
Make sure each user running the code has the proper RACF authorization to use the r_ticketserv callable service (again, see RACF documentation)
Find the correct application-name (applid) for your DB2-system. See the DB2-documentation about using passtickets.
I connect to a remote sqlserver database using the jdbc service. My apps script has my password and userid. Is there a security risk involved. I ask because javascript is open to inspection; are app-scripts open to users?
What is the best way to get that secure information into an app?
Even hard coded values don't show up in the javascript when rendered by the browser. That is because all the code that you write runs on the server side (except client handlers).
However, if you share a script or spreadsheet with the script with another user, the code is visible to the other user.
You can store your username and password in a spreadsheet that only you have access to and read from there during runtime. However, ensure that the script runs under your id (i.e only published as a web app).
Use the UserProperties service. It's values are only available to you and if you decide to make the application multi-user, you could even direct users to store their unique sql username/password in their own UserProperties.