IBM WebSphere Application Server inter-operates with the previous
product versions. Use this topic to configure this behavior.
Before you begin
Interoperability
is achieved using the z/SAS security mechanism for local OS and SAF-based
authorization.
Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
Procedure
- Configure WebSphere Application Server Version
6.1 with the same distributed user registry (that is, LDAP or Custom) that
is configured with the previous version. Make sure that the same
LDAP user registry is shared by all of the product versions.
- In the administrative console, select Security > Secure administration,
applications, and infrastructure.
- Choose an available Realm definition and click Configure.
- Enter a Primary administrative user name. This is the
identity of the user with administrative privileges that is defined in your
local operating system. The user name is used to log on to the
administrative console when administrative security is enabled. WebSphere
Application Server Version 6.1 requires an administrative user that is distinct
from the server user identity so that administrative actions can be audited.
Attention: In WebSphere Application Server, Versions 5.x and 6.0.x,
a single user identity is required for both administrative access and internal
process communication. When migrating to Version 6.1, this identity is used
as the server user identity. You need to specify another user for the administrative
user identity.
- When interoperating with Version 6.0.x or previous versions,
you must select the Server identity that is stored in the user repository.
Enter the Server user id and the associated Password.
- Fill out the rest of the user registry settings and then click OK.
- Configure the LTPA authentication mechanism. Automatic
generation of the LTPA keys should be disabled. If not, keys used by a previous
release are lost. Export the current LTPA keys from WebSphere Application
Server Version 6.1 and import them into the previous release.
Important: This step and it's sub-steps should only be performed in
multiple cell environments where an existing cell is present for the previous
application server version.
- In the administrative console select Security > Secure administration,
applications, and infrastructure.
- Click Authentication mechanisms and expiration.
- Click the Key set groups link, then click the key set
group that displays in the Key set groups panel.
- Clear the Automatically generate keys check box.
- Click OK, then click Authentication mechanisms and
expiration in the path at the top of the Key set groups panel.
- Scroll down to the Cross-cell single sign-on section, and enter
a password to use for encrypting the LTPA keys when adding them to the file.
- Enter the password again to confirm the password.
- Enter the Fully qualified key file name that contains
the exported keys.
- Click Export keys.
- Follow the instructions provided in the previous release to
import the exported LTPA keys into that configuration.
- If you are using the default SSL configuration,
extract all of the signer certificates from the WebSphere Application Server
Version 6.1 common trust store. Otherwise, extract signers where necessary
to import them into the previous release.
- In the administrative console, click Security > SSL certificate
and key management.
- Click Key stores and certificates.
- Click CellDefaultTrustStore.
- Click Signer certificates.
- Select one signer and click Extract.
- Enter a unique path and filename for the signer (for example, c:\temp\signer1.arm).
- Click OK. Repeat for all of the signers in the trust
store.
- Check other trust stores for other signers that might need to
be shared with the other server. Repeat steps e through h to extract the other
signers.
- Add the exported signers to DummyServerTrustFile.jks and DummyClientTrustFile.jks in
the /etc directory of the back-level product version. If the previous
release is not using the dummy certificate, the signer certificate(s) from
the previous release must be extracted and added into the WebSphere Application
Server Version 6.1 release to enable SSL connectivity in both directions.
- Open the key management utility, iKeyman, for that product version.
- Start ikeyman.bat or ikeyman.sh from the ${USER_INSTALL_ROOT}/bin directory.
- Select Key Database File > Open.
- Open ${USER_INSTALL_ROOT}/etc/DummyServerTrustFile.jks.
- Enter WebAS for the password.
- Select Add and enter one of the files extracted in step
3. Continue until you have added all of the signers.
- Repeat steps c through f for the DummyClientTrustFile.jks file.
- Verify that the application uses the correct Java
Naming and Directory Interface (JNDI) name and naming bootstrap port for performing
a naming lookup.
- Stop and restart all of the servers.