what would be the best way to store IBM TAM connection parameters in JAVA? My application is built on JAVA spring and uses TAM for access management. Inorder to connect to IBM TAM i have a java file that gets value from property file which stores the following values application name, configuration url, registry suffix,tam admin username and tam admin paswword.I dont want to store all these values in java code or property file. Please suggest me whether i can store it in the web application server like storing connection strings.
Asked
Active
Viewed 607 times
0
-
Environment variables or property file on server. – Krzysztof Bogdan Mar 11 '14 at 14:24
1 Answers
0
You can use the server certificate within the configuration file. You will always need to specify the configuration file at minimum. It should look something like this:
Locale myLocale = new Locale("ENGLISH", "US");
PDContext myContext = new PDContext(myLocale, configFileURL);
You will need to create your configuration file using svrsslcfg:
java com.tivoli.pd.jcfg.SvrSslCfg -action config
-admin_id sec_master-admin_pwd secpw
-appsvr_id PDPermissionjapp -appsvr_pwd pw -host jsys.myco.com
-mode remote -port 999 -policysvr ampolicy.myco.com:7135:1
-authzsvr amazn.myco.com:7136:1 -cfg_file c:/am/config_file.conf
-key_file c:/am/keystore_file.ks -domain mydomain -cfg_action create
-certrefresh true
Typically in the environment I administer our developers use the PDContext method using the username+password+config file. We have never used the certificate method. I believe if you use the certificate method, the application would connect as the server's user account that is created when you use the svrsslcfg command. That account would need appropriate permissions within TAM to achieve what it needs to.
At the minimum, you will need to specify somewhere to store the configuration URL. I would strongly encourage you not to hard code the value as it limits the administrators that must maintain the application long term. You may also need a place to store the username+password if you decide that you need to connect as specific user and not the server's TAM user account.
Refer to this document for svrsslcfg options to create the configuration file: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_authJava_guide_pdf.pdf
Look at this reference guide for information on how to use PDContext: https://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_AdminJava_guide_pdf.pdf
Matt
- 731
- 6
- 7
-
Thanks much for ur answer Matt.We are using username and password based authentication. which one is secure?? username and password based authentication or certificate based authentication?? If i want to implement Certificate based authentication where i have to place my certificate?? how my TAM adapter will make use of that certificate while creating the security context?? How the conf file will differ based on certificate based auth n username & password based authentication? – user3406503 Mar 23 '14 at 12:44
-
When you initialize the TAM runtime for Java, that sever will get a cert no matter what. The cert is stored in the keystore that is specified within the config file. That has to be there to create the runtime. So whether you use the certificate for connections to TAM is the question. If you do, then the server does all actions as the server's account (do a user list you will see your server accounts). If you do not use the cert, all actions are done as the username+password you specify. If you use the cert (and hence the server account) you must grant permissions to the server account. – Matt Mar 23 '14 at 23:05
-
The certificate is less likely to become compromised since it is stored within the keystore. Also, the certificate will auto renew itself as well. On the flip side, a username+password can be shared across multiple servers running the same application and most admins think in terms of username+password (easier for new team members to understand). Also, you could have different accounts (using username+password) for different functions, and only have one TAM runtime on the server. – Matt Mar 23 '14 at 23:12
-
Thanks much Matt :-) I am recommending my team to go with certificate based authentication. My part is to do secure code review and give the best solution. So using certificate based authentication mechanism is the best one. Right?? – user3406503 Mar 24 '14 at 07:37