Intro
This session is not for the faint-of-heart. I describe some of the many issues I had in trying to run a slightly modified jython program which I use to keep the local directory in sync with an external directory source. Since I am a non-specialist in all these technologies, I am describing this from a non-specialist’ point-of-view.
The Details
RSA provides an authentication manager sdk, AM7.1_sdk.zip, which is required to use the API.
I had it all working on our old appliance. I thought I could copy files onto the new appliance and it would all work again. It’s not nearly so simple.
You log on and su to rsaadmin for all this work.
Let’s call RSAHOME = /usr/local/RSASecurity/RSAAuthenticationManager.
Initially the crux of the problem is to get
$RSAHOME/appserver/jdk/samples/admin/src/AdminAPIDemos.py to run.
But how do you even run it if you know nothing about java, python, jython, and, IMS and weblogic? Ha. It isn’t so easy.
As you see from the above path I unpacked the sdk below appserver. I did most of my work in the $RSAHOME/appserver/jdk/samples/admin directory. First thing is to very carefully follow the instructions in the sdk documentation about copying files and about initializing a trust.jks keystore. You basically grab .jar files from several places and copy them to $RSAHOME/appserver/jdk/lib/java. Failure to do so will be disastrous.
Ant is apparently a souped-up version of make. You need it to compile the jython example. They don’t tell you where it is. I found it here:
$RSAHOME/appserver/modules/org.apache.ant_1.6.5/bin/ant
I created my own run script I call jython-build:
#!/bin/bash Ant=/usr/local/RSASecurity/RSAAuthenticationManager/appserver/modules/org.apache.ant_1.6.5/bin/ant # compiles the examples #$Ant compile #$Ant verify-setup # this worked! #$Ant run-create-jython $Ant run-add-jython |
This didn’t work at first. One error I got:
$Ant verify-setup Error: JAVA_HOME is not defined correctly. We cannot execute java |
OK. Even non-java experts know how to define the JAVA_HOME environment variable. I did this:
$ export JAVA_HOME=/usr/local/RSASecurity/RSAAuthenticationManager/appserver/jdk
I did a
$ $Ant verify-setup
and got missing com.bea.core.process.5.3.0.0.jar. I eventually found it in …utils/jars/thirdparty. And so I started copying in all the missing files. This was before I discovered the documentation! Copying all the jar files can get you so far, but you will never succeed in copying in wlfullclient.jar because it doesn’t exist! Turns out there is a step described in the sdk documentation which you need to do that creates this jar file. Similarly, trust.jks, your private keystore, does not exist. You have to follow the steps in the sdk documentation to create it with keytool, etc. You’ll need to augment your path, of course:
$ export PATH=$PATH:/usr/local/RSASecurity/RSAAuthenticationManager/appserver/jdk/bin
Some errors are experienced in and around this time:
org/apache/log4j/Appender not found
org/apache/commons/logging not found
This was when I was copying jar files in one-by-one and not following the sdk instructions.
I also got
weblogic.security.SSL.TrustManager class not found. This was more vexing at the time because it didn’t exist in any of my jar files! This is when I discovered that wlfullclient.jar has to be created by hand. It contains that class. Here’s how I check the jar contents:
$ jar tvf wlfullclient.jar|grep weblogic/security/SSL/Trust
481 Wed May 09 18:12:02 EDT 2007 weblogic/security/SSL/TrustManager.class |
For the record, my …lib/java directory, which has a few more files than it actually needs, looks like this:
activation-1.1.jar commons-pool-1.2.jar opensaml-1.0.jar am-client.jar commons-validator-1.3.0.jar oscache-2.3.2rsa-1.jar am-server-o.jar console-integration-api.jar replication-api.jar ant-1.6.5.jar dbunit-2.0.jar rsaweb-security-3.0.jar antlr-2.7.6.jar dom4j-1.6.1.jar rsawebui-3.0.jar asm-1.5.3.jar EccpressoAsn1.jar serializer-2.7.0.jar axis-1.3.jar EccpressoCore.jar spring-2.0.7.jar axis-saaj-1.3.jar EccpressoJcae.jar spring-mock-2.0.7.jar c3p0-0.9.1.jar framework-common.jar store-command.jar certj-2.1.1.jar groovy-all-1.0-jsr-05.jar struts-core-1.3.5.jar cglib-2.1_3.jar hibernate-3.2.2.jar struts-extras-1.3.5.jar classpath.jar hibernate-annotations-3.2.1.jar struts-taglib-1.3.5.jar classworlds-1.1.jar hibernate-ejb-persistence-3.2.2.jar struts-tiles-1.3.5.jar clu-common.jar hibernate-entitymanager-3.2.1.jar systemfields-o.jar com.bea.core.process_5.3.0.0.jar ims-server-o.jar trust.jks commons-beanutils-1.7.0.jar install-utils.jar ucm-clu-common.jar commons-chain-1.1.jar iScreen-1-1-0rsa-2.jar ucm-server-o.jar commons-cli-1.0.jar iScreen-ognl-1-1-0rsa-2.jar update-instance-node-ext.jar commons-codec-1.3.jar jargs-1.0.jar wlcipher.jar commons-collections-3.0.jar javassist-3.9.0.GA.jar wlfullclient.jar commons-dbcp-1.2.jar jboss-archive-browsing-5.0.0.Alpha.jar wrapper-3.2.1rsa1.jar commons-digester-1.6.jar jdom-1.0.jar wsdl4j-1.5.1.jar commons-discovery-0.2.jar jline-0.9.91rsa-1.jar xalan-2.7.0.jar commons-fileupload-1.2.jar jsafe-3.6.jar xercesImpl-2.7.1.jar commons-httpclient-3.0.1.jar jsafeJCE-3.6.jar xml-apis-1.3.02.jar commons-io-1.2.jar jython-2.1.jar xmlsec-1.2.97.jar commons-lang-2.2.jar license.bea xmlspy-schema-2006-sp2.jar commons-logging-1.0.4.jar log4j-1.2.11rsa-3.jar commons-net-2.0.jar ognl-2.6.7.jar |
I don’t know if these steps are necessary, but they should work at this stage:
$Ant compile
$Ant verify-setup
$Ant run-create-jython
But are we done? No way. Don’t forget to edit your config.properties:
# JNDI factory class. java.naming.factory.initial = weblogic.jndi.WLInitialContextFactory # Server URL(s). May be a comma separated list of URLs if running against a cluster # NOTE: Replace authmgr-test.drj.com with the hostname of the managed server java.naming.provider.url = t3s://authmgr-test.drj.com:7002 # User ID for process-level authentication. # run rsautil manage-secrets --action list to learn these # com.rsa.cmdclient.user = CmdClient_blahblahblah # Password for process-level authentication com.rsa.cmdclient.user.password = blahblahblah # Password for Two-Way SSL client identity keystore com.rsa.ssl.client.id.store.password = password # Password for Two-Way SSL client identity private key com.rsa.ssl.client.id.key.password = password # Provider URL for Two-Way SSL client authentication ims.ssl.client.provider.url = t3s://authmgr-test.drj.com:7022 # Identity keystore for Two-Way SSL client authentication ims.ssl.client.identity.keystore.filename = client-identity.jks # Identity keystore private key alias for Two-Way SSL client authentication ims.ssl.client.identity.key.alias = client-identity # Identity keystore trusted root CA certificate alias ims.ssl.client.root.ca.alias = root-ca # SOAPCommandTargetBasicAuth provider URL ims.soap.client.provider.url = https://authmgr-test.drj.com:7002/ims-ws/services/CommandServer |
As it says you need to run
$ rsautil manage-secrets –action list
or
$ rsautil manage-secrets –action listkeys
to get the correct username/password. The URLs also need appropriate tweaking of course. Failure to do these things will produce some fairly obvious errors, however. Strangely, the keystore-related values which look like placeholders since they say “password” really don’t have to be modified.
Try to run jython-build now and you may get, like I did,
Cannot import name AddGroupCommand |
which is a clear reference to this line in the python file:
from com.rsa.admin import AddGroupCommand |
Rooting around, I find this class in ims-server-o.jar which I already have in my …lib/java. So I decided to make a ~/.api file which contains not only the JAVA_HOME, but a CLASSPATH:
export JAVA_HOME=/usr/local/RSASecurity/RSAAuthenticationManager/appserver/jdk export CLASSPATH=/usr/local/RSASecurity/RSAAuthenticationManager/appserver/jdk/lib/java/ims-server-o.jar |
Actually my ~/.api file contains more. I just borrowed $RSAHOME/utils/rsaenv and added those definitions, but I’m not sure any of the other stuff is needed.
Are we there yet? Not in my case. Now we get a simple “Access Denied.” I was stymied by this for awhile. I went to reporting and found this failure logged under Authentication Monitor:
(Description) User admin attempted authentication using authenticator RSA_password.
(Reason) Authentication method failed.
What this was about is that I had forgot to update my build.xml file with the correct username and password:
<property name="admin.name" value="admin"/> <property name="admin.pw" value="mypassword"/> |
After correcting that, it began to work.
Update after several months
Well, after some months of inattention, now once again it doesn’t work! I checked my adduser log file and saw this nugget in the traceback:
[java] File "src/AdminAPIDemos.py", line 846, in ? [java] com.rsa.authn.AuthenticationCommandException: Access Denied |
The only other clue I have is that another administrator changed the Super Admin password a couple weeks ago as it was expired. I haven’t resolved this one yet, it’s a work in progress! Ah. Simple. I needed to update my build.xml with the latest admin password. Hmm. That could be kind of a pain if it’s expiring every 90 days.
Conclusion
I was battered by this exercise, mostly by my own failure to read the manual. But some things are simply not documented. Why all the fuss just to get demo code working? Because we can customize it. I felt that once I had the demo running, the sky was the limit and creating customization to do automated add/delete would not be that difficult.
To see the jython script I created to do the user add/deletes click on this article: Add/Delete Jython Script for RSA Authentication Manager
5 replies on “Problems with Jython API for RSA Authentication Manager”
[…] Dr John's Tech Talk Technical Discussion of Internet Infrastructure Skip to content HomeSample Page ← Problems with Jython API for RSA Authentication Manager […]
Was this work done on the RSA AM server or on a client Java dev box? I have a problem trying to get C# working, but the RSA AM 7.1 server is a Windows box. According to the manual I need to copy the config.properties and CommandClientAppContextOverrides.xml files to the “class path”, but what is that path, and in which box, the AM server or the C# client?
I used the RSA appliance (which is Linux based) for this work, not a dev box. Guess I can’t help you further – as you see I had to “feel” my way through all the many problems I encountered.
Hi,
How do I get the values for :
ims.ssl.client.provider.url
ims.soap.client.provider.url
Are the URL / ports used here are standard? Or, is there any way I can run some command in RSA Auth Manager to get this information?
I am trying to integrate Tivoli Identity Manager with RSA Auth Manager, and I dont have much clarity on RSA Auth Manager’s architecture / port details.
Your guidence will be highly helpful and be appreciated.
Thank you,
What I’ve shown in the listing are the standard ports. I no longer have access to this environment, but I believe running rsautil – I provided a few examples above – provides all kinds of information about the environment. You just need to provide it the right arguments.