IBM
Tivoli
Access
Manager
for
e-business
Administration
Java
Classes
Developer
Reference
Version
5.1
SC32-1356-00
���
IBM
Tivoli
Access
Manager
for
e-business
Administration
Java
Classes
Developer
Reference
Version
5.1
SC32-1356-00
���
Note:
Before
using
this
information
and
the
product
it
supports,
read
the
information
in
Appendix
E,
“Notices,”
on
page
87.
First
Edition
(November
2003)
This
edition
applies
to
version
5,
release
1,
modification
0
of
IBM
Tivoli
Access
Manager
(product
number
5724-C08)
and
to
all
subsequent
releases
and
modifications
until
otherwise
indicated
in
new
editions.
©
Copyright
International
Business
Machines
Corporation
2002,
2003.
All
rights
reserved.
US
Government
Users
Restricted
Rights
–
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
Contents
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Who
should
read
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
What
this
book
contains
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Release
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Base
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Web
security
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Developer
references
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Technical
supplements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xi
Related
publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xi
Accessing
publications
online
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiv
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xv
Contacting
software
support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xv
Conventions
used
in
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xv
Typeface
conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xv
User
registry
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xv
Operating
system
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xvi
Chapter
1.
Introducing
the
administration
API
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Administration
Java
classes
overview
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Other
ways
to
manipulate
administration
objects
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
Java
administration
API
components
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
Application
development
kit
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
Building
Java
applications
with
the
administration
API
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
IBM
Tivoli
Access
Manager
software
requirements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
Configuring
the
Java
runtime
component
to
a
particular
Java
runtime
environment
.
.
.
.
.
.
.
.
.
. 4
Configuring
to
use
the
Java
administration
classes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 4
Security
requirements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 4
Java
administration
API
example
program
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
Deploying
a
Java
administration
API
application
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
Gathering
problem
determination
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
Enabling
tracing
on
the
policy
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 6
Enabling
tracing
on
the
authorization
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 6
Enabling
tracing
in
the
Java
runtime
component
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 6
Gathering
message
logs
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 6
Gathering
trace
logs
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 7
Chapter
2.
Using
the
administration
API
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Administration
objects
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Common
classes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 11
Initializing
the
administration
API
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
Establishing
a
security
context
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
User
ID
and
password-based
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
Certificate-based
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
Manipulating
administration
objects
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 14
Creating
objects
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 14
Obtaining
a
local
copy
of
an
object
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 15
Reading
object
values
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 16
Setting
object
values
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 16
Listing
objects
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 16
Deleting
objects
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Messages
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Handling
errors
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
Shutting
down
the
administration
API
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
Character-based
data
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
©
Copyright
IBM
Corp.
2002,
2003
iii
Chapter
3.
Administering
users
and
groups
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Administering
users
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Administering
user
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
Administering
user
account
policies
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
Administering
user
password
policies
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
Administering
groups
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 23
Administering
group
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 24
Chapter
4.
Administering
protected
objects
and
protected
object
spaces
.
.
.
.
.
.
. 25
Administering
protected
object
spaces
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Administering
protected
objects
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
Administering
protected
object
attributes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
Chapter
5.
Administering
access
control
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
Administering
access
control
lists
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
Administering
access
control
list
entries
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
Administering
access
control
list
extended
attributes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 32
Administering
action
groups
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 32
Administering
extended
actions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
Chapter
6.
Administering
protected
object
policies
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
Administering
protected
object
policy
objects
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
PDPop.IPAuthInfo
object
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
Administering
protected
object
policy
settings
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
Administering
protected
object
policy
extended
attributes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 37
Chapter
7.
Administering
authorization
rules
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 39
Chapter
8.
Administering
single
signon
resources
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 41
Administering
Web
resources
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 41
Administering
resource
groups
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 42
Administering
resource
credentials
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 43
Chapter
9.
Administering
domains
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 45
Chapter
10.
Configuring
application
servers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
Configuring
application
servers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
Administering
configuration
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
Certificate
maintenance
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
Chapter
11.
Administering
servers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
Getting
and
performing
administration
tasks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
Notifying
replica
databases
when
the
master
authorization
database
is
updated
.
.
.
.
.
.
.
.
.
.
.
. 49
Notifying
replica
databases
automatically
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 50
Notifying
replica
databases
manually
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 50
Setting
the
maximum
number
of
notification
threads
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 50
Setting
the
notification
wait
time
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 50
Administrating
servers
and
database
notification
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 51
Appendix
A.
Differences
between
the
C
and
Java
administration
API
.
.
.
.
.
.
.
.
. 53
Security
context
management
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 53
Response
processing
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 53
Additional
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 53
Appendix
B.
Deprecated
Java
classes
and
methods
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 55
Appendix
C.
User
registry
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 57
iv
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Appendix
D.
Administration
API
equivalents
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 61
Appendix
E.
Notices
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 87
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 88
Glossary
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 91
Index
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 97
Contents
v
Preface
IBM®
Tivoli®
Access
Manager
(Tivoli
Access
Manager)
is
the
base
software
that
is
required
to
run
applications
in
the
IBM
Tivoli
Access
Manager
product
suite.
It
enables
the
integration
of
IBM
Tivoli
Access
Manager
applications
that
provide
a
wide
range
of
authorization
and
management
solutions.
Sold
as
an
integrated
solution,
these
products
provide
an
access
control
management
solution
that
centralizes
network
and
application
security
policy
for
e-business
applications.
Note:
IBM
Tivoli
Access
Manager
is
the
new
name
of
the
previously
released
software
entitled
Tivoli
SecureWay®
Policy
Director.
Also,
for
users
familiar
with
the
Tivoli
SecureWay
Policy
Director
software
and
documentation,
the
management
server
is
now
referred
to
as
the
policy
server.
This
reference
contains
information
about
how
to
use
Tivoli
Access
Manager
administration
Java™
classes
and
methods
to
enable
an
application
to
programmatically
perform
Tivoli
Access
Manager
administration
tasks.
This
document
describes
the
Java
implementation
of
the
Tivoli
Access
Manager
administration
API.
See
the
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
for
information
regarding
the
C
implementation
of
these
APIs.
Information
on
the
pdadmin
command
line
interface
(CLI)
can
be
found
in
the
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference.
Who
should
read
this
book
This
reference
is
for
application
programmers
implementing
programs
in
the
Java
programming
language
to
administer
the
users
and
objects
associated
with
the
IBM
Tivoli
Access
Manager
product.
Readers
should
be
familiar
with
the
following:
v
PC
and
UNIX®
operating
systems
v
Database
architecture
and
concepts
v
Security
management
v
Internet
protocols,
including
HTTP,
TCP/IP,
File
Transfer
Protocol
(FTP),
and
Telnet
v
The
user
registry
that
Tivoli
Access
Manager
is
configured
to
use
v
Lightweight
Directory
Access
Protocol
(LDAP)
and
directory
services,
if
used
by
your
user
registry
v
Authentication
and
authorization
If
you
are
enabling
Secure
Sockets
Layer
(SSL)
communication,
you
also
should
be
familiar
with
SSL
protocol,
key
exchange
(public
and
private),
digital
signatures,
cryptographic
algorithms,
and
certificate
authorities.
What
this
book
contains
This
reference
contains
the
following
chapters
and
appendixes:
v
Chapter
1,
“Introducing
the
administration
API,”
on
page
1
©
Copyright
IBM
Corp.
2002,
2003
vii
Provides
an
overview
of
the
administration
API
and
its
components.
It
also
covers
building
applications
with
the
API
and
deploying
an
administration
API
program.
v
Chapter
2,
“Using
the
administration
API,”
on
page
9
Each
application
that
uses
the
administration
API
must
perform
certain
tasks
necessary
for
API
initialization,
shut
down,
and
error
handling.
This
chapter
describes
the
supported
methods
for
establishing
security
contexts,
creating
objects,
setting
object
values,
reading
object
values,
listing
object
information,
deleting
objects,
handling
errors,
and
shutting
down.
v
Chapter
3,
“Administering
users
and
groups,”
on
page
19
The
administration
API
provides
a
collection
of
methods
for
administering
Tivoli
Access
Manager
users
and
groups.
This
chapter
describes
the
tasks
that
those
methods
accomplish.
It
describes
the
supported
methods
for
administering
users,
user
accounts,
user
passwords,
groups,
group
attributes,
and
the
policies
associated
with
users.
v
Chapter
4,
“Administering
protected
objects
and
protected
object
spaces,”
on
page
25
This
chapter
describes
the
administration
API
methods
that
are
used
to
administer
protected
object
spaces
and
protected
objects.
It
describes
the
supported
methods
for
administering
protected
object
spaces,
protected
objects,
and
protected
object
attributes.
v
Chapter
5,
“Administering
access
control,”
on
page
29
This
chapter
describes
the
administration
API
methods
that
are
used
to
administer
access
control.
It
describes
the
supported
methods
for
administering
access
control
lists,
access
control
list
entries,
and
access
control
list
extended
attributes.
v
Chapter
6,
“Administering
protected
object
policies,”
on
page
35
This
chapter
describes
the
administration
API
methods
that
are
used
to
create,
modify,
examine,
and
delete
protected
object
policies.
It
also
discusses
attaching
or
detaching
protected
objects
from
protected
object
policies.
It
describes
the
supported
functions
for
administering
protected
object
policy
objects,
protected
object
policy
settings,
and
protected
object
policy
extended
attributes.
v
Chapter
7,
“Administering
authorization
rules,”
on
page
39
This
chapter
provides
instructions
for
using
the
administration
API
to
create,
delete,
list,
and
modify
authorization
rules.
v
Chapter
8,
“Administering
single
signon
resources,”
on
page
41
This
chapter
provides
instructions
for
using
the
administration
API
to
create,
modify,
or
delete
web
resources,
resource
groups,
and
resource
credentials.
v
Chapter
9,
“Administering
domains,”
on
page
45
This
chapter
provides
instructions
for
using
the
administration
API
to
create,
delete,
list,
and
modify
Tivoli
Access
Manager
policy
server
domains.
v
Chapter
11,
“Administering
servers,”
on
page
49
This
chapter
provides
information
about
getting
and
performing
administration
tasks
and
notifying
the
replica
database
when
the
master
authorization
database
is
updated.
v
Chapter
10,
“Configuring
application
servers,”
on
page
47
This
chapter
provides
instructions
for
using
the
administration
API
to
configure
servers,
modify
server
configurations,
administer
replicas,
and
perform
certificate
maintenance.
v
Appendix
A,
“Differences
between
the
C
and
Java
administration
API,”
on
page
53
viii
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
This
appendix
outlines
the
differences
between
the
administration
C
API
functions
and
the
administration
Java
classes
and
methods.
v
Appendix
B,
“Deprecated
Java
classes
and
methods,”
on
page
55
This
appendix
provides
a
list
of
the
Java
classes
and
methods
that
have
been
deprecated
in
this
version
of
Tivoli
Access
Manager.
v
Appendix
C,
“User
registry
differences,”
on
page
57
This
appendix
outlines
the
differences
in
behavior
of
the
classes
and
methods
based
on
the
user
registry
being
used
by
Tivoli
Access
Manager.
v
Appendix
D,
“Administration
API
equivalents,”
on
page
61
This
appendix
shows
the
mapping
that
exists
between
the
Administration
C
APIs,
the
Administration
Java
classes
and
methods,
and
the
command
line
interface
(CLI).
v
Appendix
E,
“Notices,”
on
page
87
This
appendix
provides
copyright,
legal,
and
trademark
information.
Publications
Review
the
descriptions
of
the
Tivoli
Access
Manager
library,
the
prerequisite
publications,
and
the
related
publications
to
determine
which
publications
you
might
find
helpful.
After
you
determine
the
publications
you
need,
refer
to
the
instructions
for
accessing
publications
online.
Additional
information
about
the
IBM
Tivoli
Access
Manager
for
e-business
product
itself
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/
The
Tivoli
Access
Manager
library
is
organized
into
the
following
categories:
v
“Release
information”
v
“Base
information”
v
“Web
security
information”
on
page
x
v
“Developer
references”
on
page
x
v
“Technical
supplements”
on
page
xi
Release
information
v
IBM
Tivoli
Access
Manager
for
e-business
Read
This
First
(GI11-4155-00)
Provides
information
for
installing
and
getting
started
using
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes
(GI11-4156-00)
Provides
late-breaking
information,
such
as
software
limitations,
workarounds,
and
documentation
updates.
Base
information
v
IBM
Tivoli
Access
Manager
Base
Installation
Guide
(SC32-1362-00)
Explains
how
to
install
and
configure
the
Tivoli
Access
Manager
base
software,
including
the
Web
Portal
Manager
interface.
This
book
is
a
subset
of
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
and
is
intended
for
use
with
other
Tivoli
Access
Manager
products,
such
as
IBM
Tivoli
Access
Manager
for
Business
Integration
and
IBM
Tivoli
Access
Manager
for
Operating
Systems.
Preface
ix
v
IBM
Tivoli
Access
Manager
Base
Administration
Guide
(SC32-1360-00)
Describes
the
concepts
and
procedures
for
using
Tivoli
Access
Manager
services.
Provides
instructions
for
performing
tasks
from
the
Web
Portal
Manager
interface
and
by
using
the
pdadmin
command.
Web
security
information
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
(SC32-1361-00)
Provides
installation,
configuration,
and
removal
instructions
for
the
Tivoli
Access
Manager
base
software
as
well
as
the
Web
Security
components.
This
book
is
a
superset
of
IBM
Tivoli
Access
Manager
Base
Installation
Guide.
v
IBM
Tivoli
Access
Manager
Upgrade
Guide
(SC32-1369-00)
Explains
how
to
upgrade
from
Tivoli
SecureWay
Policy
Director
Version
3.8
or
previous
versions
of
Tivoli
Access
Manager
to
Tivoli
Access
Manager
Version
5.1.
v
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide
(SC32-1359-00)
Provides
background
material,
administrative
procedures,
and
technical
reference
information
for
using
WebSEAL
to
manage
the
resources
of
your
secure
Web
domain.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Application
Server
Integration
Guide
(SC32-1368-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
IBM
WebSphere®
Application
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Edge
Server
Integration
Guide
(SC32-1367-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
the
IBM
WebSphere
Edge
Server
application.
v
IBM
Tivoli
Access
Manager
for
e-business
Plug-in
for
Web
Servers
Integration
Guide
(SC32-1365-00)
Provides
installation
instructions,
administration
procedures,
and
technical
reference
information
for
securing
your
Web
domain
using
the
plug-in
for
Web
servers.
v
IBM
Tivoli
Access
Manager
for
e-business
BEA
WebLogic
Server
Integration
Guide
(SC32-1366-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
BEA
WebLogic
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
(SC32-1364-00)
Provides
an
overview
of
the
tasks
related
to
integrating
Tivoli
Access
Manager
and
Tivoli
Identity
Manager
and
explains
how
to
use
and
install
the
Provisioning
Fast
Start
collection.
Developer
references
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
C
API
Developer
Reference
(SC32-1355-00)
Provides
reference
material
that
describes
how
to
use
the
Tivoli
Access
Manager
authorization
C
API
and
the
Tivoli
Access
Manager
service
plug-in
interface
to
add
Tivoli
Access
Manager
security
to
applications.
x
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
Java
Classes
Developer
Reference
(SC32-1350-00)
Provides
reference
information
for
using
the
Java™
language
implementation
of
the
authorization
API
to
enable
an
application
to
use
Tivoli
Access
Manager
security.
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
(SC32-1357-00)
Provides
reference
information
about
using
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
This
document
describes
the
C
implementation
of
the
administration
API.
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
Java
Classes
Developer
Reference
(SC32-1356-00)
Provides
reference
information
for
using
the
Java
language
implementation
of
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Developer
Reference
(SC32-1358-00)
Provides
administration
and
programming
information
for
the
cross-domain
authentication
service
(CDAS),
the
cross-domain
mapping
framework
(CDMF),
and
the
password
strength
module.
Technical
supplements
v
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
(SC32-1354-00)
Provides
information
about
the
command
line
utilities
and
scripts
provided
with
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
Error
Message
Reference
(SC32-1353-00)
Provides
explanations
and
recommended
actions
for
the
messages
produced
by
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide
(SC32-1352-00)
Provides
problem
determination
information
for
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Performance
Tuning
Guide
(SC32-1351-00)
Provides
performance
tuning
information
for
an
environment
consisting
of
Tivoli
Access
Manager
with
the
IBM
Tivoli
Directory
server
as
the
user
registry.
Related
publications
This
section
lists
publications
related
to
the
Tivoli
Access
Manager
library.
The
Tivoli
Software
Library
provides
a
variety
of
Tivoli
publications
such
as
white
papers,
datasheets,
demonstrations,
redbooks,
and
announcement
letters.
The
Tivoli
Software
Library
is
available
on
the
Web
at:
http://www.ibm.com/software/tivoli/library/
The
Tivoli
Software
Glossary
includes
definitions
for
many
of
the
technical
terms
related
to
Tivoli
software.
The
Tivoli
Software
Glossary
is
available,
in
English
only,
from
the
Glossary
link
on
the
left
side
of
the
Tivoli
Software
Library
Web
page
http://www.ibm.com/software/tivoli/library/
IBM
Global
Security
Kit
Tivoli
Access
Manager
provides
data
encryption
through
the
use
of
the
IBM
Global
Security
Kit
(GSKit)
Version
7.0.
GSKit
is
included
on
the
IBM
Tivoli
Access
Manager
Base
CD
for
your
particular
platform,
as
well
as
on
the
IBM
Tivoli
Access
Manager
Preface
xi
Web
Security
CDs,
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CDs,
and
the
IBM
Tivoli
Access
Manager
Directory
Server
CDs.
The
GSKit
package
provides
the
iKeyman
key
management
utility,
gsk7ikm,
which
is
used
to
create
key
databases,
public-private
key
pairs,
and
certificate
requests.
The
following
document
is
available
on
the
Tivoli
Information
Center
Web
site
in
the
same
section
as
the
IBM
Tivoli
Access
Manager
product
documentation:
v
IBM
Global
Security
Kit
Secure
Sockets
Layer
and
iKeyman
User’s
Guide
(SC32-1363-00)
Provides
information
for
network
or
system
security
administrators
who
plan
to
enable
SSL
communication
in
their
Tivoli
Access
Manager
environment.
IBM
Tivoli
Directory
Server
IBM
Tivoli
Directory
Server,
Version
5.2,
is
included
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
for
the
desired
operating
system.
Note:
IBM
Tivoli
Directory
Server
is
the
new
name
for
the
previously
released
software
known
as:
v
IBM
Directory
Server
(Version
4.1
and
Version
5.1)
v
IBM
SecureWay
Directory
Server
(Version
3.2.2)
IBM
Directory
Server
Version
4.1,
IBM
Directory
Server
Version
5.1,
and
IBM
Tivoli
Directory
Server
Version
5.2
are
all
supported
by
IBM
Tivoli
Access
Manager
Version
5.1.
Additional
information
about
IBM
Tivoli
Directory
Server
can
be
found
at:
http://www.ibm.com/software/network/directory/library/
IBM
DB2
Universal
Database
IBM
DB2®
Universal
Database™
Enterprise
Server
Edition,
Version
8.1
is
provided
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
and
is
installed
with
the
IBM
Tivoli
Directory
Server
software.
DB2
is
required
when
using
IBM
Tivoli
Directory
Server,
z/OS™,
or
OS/390®
LDAP
servers
as
the
user
registry
for
Tivoli
Access
Manager.
Additional
information
about
DB2
can
be
found
at:
http://www.ibm.com/software/data/db2/
IBM
WebSphere
Application
Server
IBM
WebSphere
Application
Server,
Advanced
Single
Server
Edition
5.0,
is
included
on
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CD
for
the
desired
operating
system.
WebSphere
Application
Server
enables
the
support
of
both
the
Web
Portal
Manager
interface,
which
is
used
to
administer
Tivoli
Access
Manager,
and
the
Web
Administration
Tool,
which
is
used
to
administer
IBM
Tivoli
Directory
Server.
IBM
WebSphere
Application
Server
Fix
Pack
2
is
also
required
by
Tivoli
Access
Manager
and
is
provided
on
the
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
CD.
Additional
information
about
IBM
WebSphere
Application
Server
can
be
found
at:
http://www.ibm.com/software/webservers/appserv/infocenter.html
xii
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
IBM
Tivoli
Access
Manager
for
Business
Integration
IBM
Tivoli
Access
Manager
for
Business
Integration,
available
as
a
separately
orderable
product,
provides
a
security
solution
for
IBM
MQSeries®,
Version
5.2,
and
IBM
WebSphere®
MQ
for
Version
5.3
messages.
IBM
Tivoli
Access
Manager
for
Business
Integration
allows
WebSphere
MQSeries
applications
to
send
data
with
privacy
and
integrity
by
using
keys
associated
with
sending
and
receiving
applications.
Like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Operating
Systems,
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
Additional
information
about
IBM
Tivoli
Access
Manager
for
Business
Integration
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Business
Integration
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Administration
Guide
(SC23-4831-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Problem
Determination
Guide
(GC23-1328-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Release
Notes
(GI11-0957-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers,
available
as
part
of
IBM
Tivoli
Access
Manager
for
Business
Integration,
provides
a
security
solution
for
WebSphere
Business
Integration
Message
Broker,
Version
5.0
and
WebSphere
Business
Integration
Event
Broker,
Version
5.0.
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
operates
in
conjunction
with
Tivoli
Access
Manager
to
secure
JMS
publish/subscribe
applications
by
providing
password
and
credentials-based
authentication,
centrally-defined
authorization,
and
auditing
services.
Additional
information
about
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers,
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Administration
Guide
(SC32-1347-00)
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Release
Notes
(GI11-4154-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
Operating
Systems
IBM
Tivoli
Access
Manager
for
Operating
Systems,
available
as
a
separately
orderable
product,
provides
a
layer
of
authorization
policy
enforcement
on
UNIX
systems
in
addition
to
that
provided
by
the
native
operating
system.
IBM
Tivoli
Preface
xiii
Access
Manager
for
Operating
Systems,
like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
Additional
information
about
IBM
Tivoli
Access
Manager
for
Operating
Systems
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Operating
Systems
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Installation
Guide
(SC23-4829-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide
(SC23-4827-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Problem
Determination
Guide
(SC23-4828-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Release
Notes
(GI11-0951-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Read
Me
First
(GI11-0949-00)
IBM
Tivoli
Identity
Manager
IBM
Tivoli
Identity
Manager
Version
4.5,
available
as
a
separately
orderable
product,
enables
you
to
centrally
manage
users
(such
as
user
IDs
and
passwords)
and
provisioning
(that
is
providing
or
revoking
access
to
applications,
resources,
or
operating
systems.)
Tivoli
Identity
Manager
can
be
integrated
with
Tivoli
Access
Manager
through
the
use
of
the
Tivoli
Access
Manager
Agent.
Contact
your
IBM
account
representative
for
more
information
about
purchasing
the
Agent.
Additional
information
about
IBM
Tivoli
Identity
Manager
can
be
found
at:
http://www.ibm.com/software/tivoli/products/identity-mgr/
Accessing
publications
online
The
publications
for
this
product
are
available
online
in
Portable
Document
Format
(PDF)
or
Hypertext
Markup
Language
(HTML)
format,
or
both
in
the
Tivoli
software
library:
http://www.ibm.com/software/tivoli/library
To
locate
product
publications
in
the
library,
click
the
Product
manuals
link
on
the
left
side
of
the
library
page.
Then,
locate
and
click
the
name
of
the
product
on
the
Tivoli
software
information
center
page.
Product
publications
include
release
notes,
installation
guides,
user’s
guides,
administrator’s
guides,
and
developer’s
references.
Note:
To
ensure
proper
printing
of
publications,
select
the
Fit
to
page
check
box
in
the
Adobe
Acrobat
window
(which
is
available
when
you
click
File
→
Print).
xiv
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Accessibility
Accessibility
features
help
a
user
who
has
a
physical
disability,
such
as
restricted
mobility
or
limited
vision,
to
use
software
products
successfully.
With
this
product,
you
can
use
assistive
technologies
to
hear
and
navigate
the
interface.
You
also
can
use
the
keyboard
instead
of
the
mouse
to
operate
all
features
of
the
graphical
user
interface.
Contacting
software
support
Before
contacting
IBM
Tivoli
Software
Support
with
a
problem,
refer
to
the
IBM
Tivoli
Software
Support
site
by
clicking
the
Tivoli
support
link
at
the
following
Web
site:
http://www.ibm.com/software/support/
If
you
need
additional
help,
contact
software
support
by
using
the
methods
described
in
the
IBM
Software
Support
Guide
at
the
following
Web
site:
http://techsupport.services.ibm.com/guides/handbook.html
The
guide
provides
the
following
information:
v
Registration
and
eligibility
requirements
for
receiving
support
v
Telephone
numbers,
depending
on
the
country
in
which
you
are
located
v
A
list
of
information
you
should
gather
before
contacting
customer
support
Conventions
used
in
this
book
This
reference
uses
several
conventions
for
special
terms
and
actions
and
for
operating
system-dependent
commands
and
paths.
Typeface
conventions
The
following
typeface
conventions
are
used
in
this
reference:
Bold
Lowercase
commands
or
mixed
case
commands
that
are
difficult
to
distinguish
from
surrounding
text,
keywords,
parameters,
options,
names
of
Java
classes,
and
objects
are
in
bold.
Italic
Variables,
titles
of
publications,
and
special
words
or
phrases
that
are
emphasized
are
in
italic.
Monospace
Code
examples,
command
lines,
screen
output,
file
and
directory
names
that
are
difficult
to
distinguish
from
surrounding
text,
system
messages,
text
that
the
user
must
type,
and
values
for
arguments
or
command
options
are
in
monospace.
User
registry
differences
Tivoli
Access
Manager
supports
a
number
of
different
user
registries.
In
most
cases,
the
behavior
of
Tivoli
Access
Manager
is
the
same
regardless
of
what
user
registry
is
in
use.
However,
there
are
several
cases
where
the
processing
of
a
given
method
differs
based
on
what
user
registry
is
being
used.
A
note
similar
to
the
following
highlights
these
differences:
User
registry
difference:
This
text
would
describe
the
different
behavior
based
on
the
user
registry
in
use.
Preface
xv
See
Appendix
C,
“User
registry
differences,”
on
page
57
for
a
complete
list
of
known
differences.
Operating
system
differences
This
book
uses
the
UNIX
convention
for
specifying
environment
variables
and
for
directory
notation.
When
using
the
Windows
command
line,
replace
$variable
with
%variable%
for
environment
variables
and
replace
each
forward
slash
(/)
with
a
backslash
(\)
in
directory
paths.
If
you
are
using
the
bash
shell
on
a
Windows
system,
you
can
use
the
UNIX
conventions.
xvi
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Chapter
1.
Introducing
the
administration
API
The
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
Java
runtime
component
includes
the
Java
language
version
of
the
Tivoli
Access
Manager
administration
API.
The
Tivoli
Access
Manager
Java
runtime
component
provides
a
set
of
Java
classes
and
methods
for
the
administration
of
selected
Tivoli
Access
Manager
administration
objects.
These
classes
and
methods
provide
a
way
for
applications
to
administer
users,
groups,
protected
objects,
and
access
control
lists.
You
can
use
the
Tivoli
Access
Manager
application
developer
kit
(ADK)
to
enable
your
application
to
programmatically
administer
Tivoli
Access
Manager
administration
objects.
This
chapter
contains
the
following
topics:
v
“Administration
Java
classes
overview”
v
“Java
administration
API
components”
on
page
2
v
“Building
Java
applications
with
the
administration
API”
on
page
3
v
“Java
administration
API
example
program”
on
page
5
v
“Deploying
a
Java
administration
API
application”
on
page
5
v
“Gathering
problem
determination
information”
on
page
5
Note:
If
you
are
familiar
with
the
C
language
interface
to
the
Tivoli
Access
Manager
administration
API,
see
Appendix
A,
“Differences
between
the
C
and
Java
administration
API,”
on
page
53
for
a
general
overview
of
differences.
A
mapping
of
C
APIs
to
Java
classes
and
methods
can
be
found
in
Appendix
D,
“Administration
API
equivalents,”
on
page
61.
Administration
Java
classes
overview
The
administration
Java
classes
can
be
used
to
administer
the
following
types
of
objects:
v
Policies
v
Users
v
Groups
v
Access
control
lists
(ACLs)
v
Extended
ACL
actions
v
Protected
object
policies
(POPs)
v
Protected
objects
v
Protected
object
spaces
v
Authorization
rules
v
Domains
v
Web,
or
single
signon
(SSO),
resources
v
Web
resource
groups
v
Resource
credentials
A
set
of
Java
classes
are
provided
for
creating,
modifying,
examining,
listing,
and
deleting
each
of
the
preceding
object
types.
The
classes
include
the
methods
necessary
for
manipulating
each
of
these
administration
objects.
These
©
Copyright
IBM
Corp.
2002,
2003
1
administration
Java
classes
are
packaged
in
the
PD.jar
file
that
is
installed
as
part
of
the
Tivoli
Access
Manager
Java
runtime
environment
component.
Applications
using
the
Java
runtime
environment
provided
with
Tivoli
Access
Manager
automatically
have
access
to
these
classes
and
methods.
The
administration
API
Java
classes
communicate
directly
with
the
Tivoli
Access
Manager
policy
server
component.
The
API
establishes
an
authenticated,
Secure
Sockets
Layer
(SSL)
session
with
the
Tivoli
Access
Manager
policy
server
process.
After
the
SSL
session
is
established,
the
classes
can
send
administration
requests
to
the
policy
server.
The
Tivoli
Access
Manager
policy
server
component
services
these
requests
in
the
same
manner
that
it
would
service
any
other
incoming
requests.
System
administrators
also
can
use
the
pdadmin
command
line
interface
to
accomplish
Tivoli
Access
Manager
administration
tasks.
The
Java
administration
classes
and
methods
map
closely
to
these
commands.
Appendix
D,
“Administration
API
equivalents,”
on
page
61
describes
the
commands
that
match
Java
administration
API
methods.
Some
Java
methods
do
not
have
a
pdadmin
command
line
equivalent.
Note:
The
svrsslcfg
command
line
interface
should
not
be
used
with
Java
applications.
Use
the
SvrSslCfg
Java
class
to
provide
this
functionality.
Other
ways
to
manipulate
administration
objects
In
addition
to
using
the
Java
administration
APIs
to
manipulate
these
objects,
you
also
can
use
the
following
methods:
pdadmin
command
line
interface
(CLI)
The
pdadmin
command
line
interface
is
explained
in
the
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference.
Administration
C
API
The
administration
C
API
provides
support
for
these
administration
objects.
Refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
for
details.
Java
administration
API
components
The
administration
API
consists
of
the
following
components:
v
The
administration
Java
classes
v
Javadoc
information
for
the
associated
Java
classes
and
methods
v
A
demonstration
application
The
administration
API
Java
classes
are
distributed
in
the
Tivoli
Access
Manager
Java
runtime
component
for
each
platform.
The
remainder
of
the
administration
API
components
are
distributed
in
the
Tivoli
Access
Manager
Application
Developer
Kit
component.
Application
development
kit
The
Javadoc
information
associated
with
the
administration
Java
classes
and
methods
as
well
as
examples
are
provided
as
part
of
the
Tivoli
Access
Manager
application
developer
kit
(ADK)
component
package.
2
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Table
1
lists
the
files
that
are
installed
as
part
of
the
Tivoli
Access
Manager
ADK
component.
The
PD.jar
file,
even
though
it
is
installed
as
part
of
the
Tivoli
Access
Manager
Java
runtime
component,
is
listed
in
the
table
for
completeness.
Table
1.
Administration
API
application
development
kit
files
Directory
Files
File
Description
AM_BASE/nls/javadocs
/pdjrte/index.html
index.html
(and
many
others)
Javadoc
HTML
documentation
for
the
Java
classes
and
methods
provided
with
the
Tivoli
Access
Manager
Java
runtime
component.
AM_BASE/example/
pdadminapi_demo/java
README.PDAdminDemo
PDAdminDemo.java
PDAdminDemo.class
PDAdminDemo$ConsoleEraser.class
A
demonstration
program
is
provided
which
illustrates
the
use
of
the
administration
Java
APIs.
You
can
copy
the
demonstration
program
to
any
directory.
The
readme
file
explains
how
to
run
and
recompile
the
demonstration
program.
JAVA_HOME/lib/ext
PD.jar
The
Java
Archive
(JAR)
file
containing
the
classes
and
methods
associated
with
the
administration
APIs.
Note:
When
you
use
the
pdjrtecfg
command
line
interface
to
configure
the
Tivoli
Access
Manager
Java
runtime
component
to
a
particular
JRE,
this
archive
file
is
copied
to
JAVA_HOME/lib/ext.
Therefore,
there
is
no
need
to
modify
the
CLASSPATH
in
your
environment
to
access
the
classes
and
methods
defined
in
this
archive
file.
Building
Java
applications
with
the
administration
API
To
develop
Java
applications
that
use
the
Tivoli
Access
Manager
administration
API,
you
must
install
and
configure
the
required
software.
IBM
Tivoli
Access
Manager
software
requirements
You
must
install
and
configure
an
Tivoli
Access
Manager
secure
domain.
If
you
do
not
have
an
Tivoli
Access
Manager
secure
domain
installed,
install
one
before
beginning
application
development.
The
minimum
installation
consists
of
a
single
system
with
the
following
Tivoli
Access
Manager
components
installed:
v
Tivoli
Access
Manager
runtime
environment
(see
Note
1
on
page
4)
v
Tivoli
Access
Manager
Java
runtime
component
v
Tivoli
Access
Manager
policy
server
v
Tivoli
Access
Manager
ADK
If
you
already
have
an
Tivoli
Access
Manager
secure
domain
installed
and
want
to
add
a
development
system
to
the
domain,
the
minimum
Tivoli
Access
Manager
installation
consists
of
the
following
components:
v
Tivoli
Access
Manager
runtime
environment
(see
Note
1
on
page
4)
v
Tivoli
Access
Manager
Java
runtime
component
v
Tivoli
Access
Manager
ADK
For
Tivoli
Access
Manager
installation
instructions,
refer
to
the
section
of
the
IBM
Tivoli
Access
Manager
Base
Installation
Guide
for
your
operating
system
platform.
Chapter
1.
Introducing
the
administration
API
3
Notes:
1.
The
Tivoli
Access
Manager
runtime
environment
component
is
not
needed
for
developing
or
deploying
an
Tivoli
Access
Manager
Java
application.
The
prerequisite
checking
for
the
Tivoli
Access
Manager
ADK
component
is
in
error
and
erroneously
requires
that
the
Tivoli
Access
Manager
runtime
component
be
installed,
even
if
you
are
developing
only
Java
applications
and
simply
need
the
Javadoc
information
and
the
example
files
from
the
ADK
component.
To
save
disk
space,
you
can
copy
the
Javadoc
HTML
information,
consisting
of
the
entire
AM_BASE/nls/javadocs
directory
tree,
along
with
the
sample
Java
program,
in
the
AM_BASE/example
directory
tree,
to
another
location
on
your
development
system
and
then
uninstall
the
Tivoli
Access
Manager
ADK
and
runtime
components.
2.
If
you
intend
to
use
the
Tivoli
Access
Manager
runtime
environment
for
an
administration
C
API
application,
you
also
must
install
the
IBM®
Directory
client
if
an
LDAP
or
Lotus
Domino
server
is
being
used
as
the
user
registry
in
the
secure
domain.
Configuring
the
Java
runtime
component
to
a
particular
Java
runtime
environment
Configure
the
Tivoli
Access
Manager
Java
runtime
component
to
use
the
proper
JRE
on
the
system
by
using
the
pdjrtecfg
command.
The
Tivoli
Access
Manager
Java
runtime
component
can
be
configured
to
several
different
JREs
on
the
same
system,
if
desired.
See
the
IBM
Tivoli
Access
Manager
Base
Installation
Guide
for
details.
Configuring
to
use
the
Java
administration
classes
The
com.tivoli.pd.jcfg.SvrSslCfg
Java
class
must
be
used
to
configure
the
administration
Java
APIs.
See
the
IBM
Tivoli
Access
Manager
for
e-business
Authorization
Java
Classes
Developer
Reference
for
details
on
the
SvrSslCfg
utility.
Notes:
1.
Do
not
use
the
svrsslcfg
command
line
interface
to
create
configuration
files
that
are
to
be
used
with
Java
applications.
2.
The
com.tivoli.mts.SvrSslCfg
class
provided
in
previous
versions
of
IBM
Tivoli
Access
Manager
and
IBM
SecureWay
Policy
Director
has
been
deprecated.
Use
the
new
com.tivoli.pd.jcfg.SvrSslCfg
class
instead.
Security
requirements
When
running
a
Java
application
in
the
context
of
a
Java
security
manager,
the
application
must
have
the
proper
Java
permissions
to
use
the
administration
Java
APIs.
If
the
application
is
not
installed
as
a
Java
extension
in
the
JAVA_HOME/lib/ext
directory,
an
entry
must
be
added
to
the
JAVA_HOME/lib/security/java.policy
file.
For
example,
to
grant
Java
applications
located
in
the
/sb/pdsb/export/classes
directory,
and
all
its
subdirectories,
the
necessary
Java
permissions
to
use
authorization
Java
classes
and
methods,
add
a
statement
similar
to
the
following
to
the
java.policy
file:
4
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Invoke
administration
Java
classes
and
methods
from
a
privileged
block,
doPrivileged(),
to
alleviate
the
need
for
the
application’s
callers
to
have
this
Java
permission
as
well.
The
PD.jar
file
is
signed,
but
verification
of
the
signing
of
JAR
files
is
not
supported
in
this
version
of
Tivoli
Access
Manager.
Java
administration
API
example
program
The
Tivoli
Access
Manager
ADK
includes
the
complete
Java
source
code
for
an
example
program
that
demonstrates
the
use
of
the
administration
Java
classes.
The
example
program
demonstrates
how
to
perform
the
following
tasks:
v
Initialize
an
administration
API
security
context
v
Display
an
error
message
v
Create
a
new
Tivoli
Access
Manager
user
v
Set
a
user
account
to
be
valid
v
Create
a
new
group
v
Add
the
new
user
to
the
group
v
Delete
a
group
v
Delete
a
user
Deploying
a
Java
administration
API
application
Java
applications
that
have
been
developed
using
the
Tivoli
Access
Manager
administration
API
must
be
run
on
systems
that
are
configured
as
part
of
an
Tivoli
Access
Manager
secure
domain.
To
run
an
administration
Java
application,
you
must
have
installed
the
Tivoli
Access
Manager
Java
runtime
component.
Note:
Information
on
installing
the
Tivoli
Access
Manager
Java
runtime
component
can
be
found
in
the
IBM
Tivoli
Access
Manager
Base
Installation
Guide.
Gathering
problem
determination
information
When
developing
a
Java
application,
you
might
encounter
a
problem
with
Tivoli
Access
Manager.
To
assist
Tivoli
support
personnel
in
diagnosing
your
problem,
gather
problem
determination
information
relating
to
your
error.
Tivoli
Access
Manager
components
can
be
configured
to
log
information
to
one
or
more
trace
files.
You
can
enable
tracing
for
the
policy
server,
the
authorization
server,
the
Java
runtime
component,
or
any
system
using
the
Tivoli
Access
Manager
runtime
environment.
//
Give
applications
in
/sb/pdsb/export/classes
and
//
its
subdirectories
access
to
the
Access
Manager
//
Administration
APIs
grant
codeBase
"file:/sb/pdsb/export/classes/-"
{
permission
javax.security.auth.AuthPermission
"PDAdmin";
};
Figure
1.
Granting
Java
permission
to
applications
Chapter
1.
Introducing
the
administration
API
5
Enabling
tracing
on
the
policy
server
To
enable
tracing
on
the
policy
server,
edit
the
/etc/pdmgrd_routing
file,
located
in
the
installation
directory
for
the
Tivoli
Access
Manager
policy
server,
and
uncomment
the
last
line.
Shut
down
and
restart
the
policy
server
daemon,
pdmgrd.
Enabling
tracing
on
the
authorization
server
To
enable
tracing
on
the
authorization
server,
edit
the
/etc/pdacld_routing
file,
located
in
the
installation
directory
for
the
Tivoli
Access
Manager
authorization
server,
and
uncomment
the
last
line.
Shut
down
and
restart
the
authorization
server
daemon,
pdacld.
Enabling
tracing
in
the
Java
runtime
component
Tracing
for
the
Tivoli
Access
Manager
Java
runtime
component
is
controlled
by
settings
in
the
properties
file
created
by
the
com.tivoli.pd.jcfg.SvrSslCfg
command.
To
enable
tracing,
edit
the
properties
file
created
and
update
the
line
associated
with
the
desired
application-server-name
to
set
isLogging
to
true:
baseGroup.PDJ<application-server-name>TraceLogger.isLogging=true
Each
Java
application
can
be
configured
to
use
a
different
properties
file,
and
the
properties
file
can
have
any
name
and
be
located
in
any
directory.
The
PDJLog.properties
file,
located
in
the
PolicyDirector
subdirectory
of
the
associated
JRE,
is
installed
by
the
Tivoli
Access
Manager
Java
runtime
environment
component.
This
properties
file
is
associated
with,
and
can
be
used
to
enable
tracing
in,
the
pdjrtecfg
command
as
well
as
the
com.tivoli.pd.jcfg.SvrSslCfg
command.
Gathering
message
logs
Message
logs
associated
with
applications
that
are
configured
using
the
com.tivoli.pd.jcfg.SvrSslCfg
command
are,
by
default,
written
to
a
set
of
3
files:
msg__application_name1.log,
msg__application_name2.log,
and
msg__application_name3.log,
where
application_name
is
the
name
specified
with
the
appSvr
parameter
of
SvrSslCfg.
Each
file
is
512
KB
in
size,
and
the
msg__application_name1.log
file
always
contains
the
latest
messages.
The
number
and
size
of
these
files,
as
well
as
the
base
name
of
the
files
themselves,
can
be
configured
using
the
options
in
the
configuration
file.
Note:
There
are
two
underscore
characters
(_)
following
the
characters
msg
in
the
default
file
names.
The
PDJLog.properties
file
controls
the
message
logging
for
Java
programs
not
configured
with
the
com.tivoli.pd.jcfg.SvrSslCfg
command.
This
properties
file
specifies
different
file
names
for
each
class
of
Tivoli
Access
Manager
message:
FATAL,
ERROR,
WARNING,
NOTICE,
or
NOTICEVERBOSE.
Each
class
of
message
is
written
to
a
set
of
3
files,
with
names
of
the
following
form:
msg__amj_fatalN.log
msg__amj_errorN.log
msg__amj_warningN.log
msg__amj_noticeN.log
msg__amj_noticeverboseN.log
6
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
For
more
information
on
message
logging,
see
the
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide.
Gathering
trace
logs
Trace
logs
associated
with
applications
that
are
configured
using
the
com.tivoli.pd.jcfg.SvrSslCfg
command
are,
by
default,
written
to
a
set
of
3
files:
trace__application_name1.log,
trace__application_name2.log,
and
trace__application_name3.log,
where
application_name
is
the
name
specified
with
the
appSvr
parameter
of
SvrSslCfg.
Each
file
is
512
KB
in
size,
and
the
trace__application_name1.log
file
always
contains
the
latest
trace
entries.
The
number
and
size
of
these
files,
as
well
as
the
base
name
of
the
files
themselves,
can
be
configured
using
the
options
in
the
configuration
file.
Note:
There
are
two
underscore
characters
(_)
following
the
characters
trace
in
the
default
file
names.
The
PDJLog.properties
file
controls
the
trace
logging
for
Java
programs
not
configured
with
the
com.tivoli.pd.jcfg.SvrSslCfg
command.
By
default,
this
trace
output
is
directed
to
a
set
of
3
files
called
trace__amj1.log,
trace__amj2.log,
and
trace__amj3.log.
The
number
and
size
of
these
files,
as
well
as
the
base
name
of
the
files
themselves,
can
be
configured
using
the
options
in
the
PDJLog.properties
file.
For
more
information,
see
the
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide.
Chapter
1.
Introducing
the
administration
API
7
Chapter
2.
Using
the
administration
API
Each
Java
application
that
uses
the
administration
API
must
perform
certain
tasks
necessary
for
API
initialization,
shut
down,
and
error
handling.
The
administration
API
provides
methods
for
each
of
these
tasks.
The
following
sections
in
this
chapter
describe
the
supported
functions:
v
“Administration
objects”
v
“Initializing
the
administration
API”
on
page
12
v
“Establishing
a
security
context”
on
page
12
v
“Manipulating
administration
objects”
on
page
14
v
“Messages”
on
page
17
v
“Handling
errors”
on
page
18
v
“Shutting
down
the
administration
API”
on
page
18
v
“Character-based
data
considerations”
on
page
18
Note:
If
you
are
familiar
with
the
administration
C
API
described
in
the
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference,
see
Appendix
A,
“Differences
between
the
C
and
Java
administration
API,”
on
page
53.
Administration
objects
Each
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
administration
object
that
can
be
manipulated
directly
from
a
Java
application
is
represented
by
a
corresponding
Java
class.
The
objects
supported
in
this
version
of
Tivoli
Access
Manager
are
as
follows:
PDAdmin
This
class
is
used
to
initialize
and
shut
down
the
operations
associated
with
using
the
Tivoli
Access
Manager
administration
classes
and
methods.
The
methods
in
this
class
are
applicable
to
all
administration
objects.
PDAuthzRule
This
class
represents
a
Tivoli
Access
Manager
authorization
rule.
PDContext
This
class
encapsulates
the
information
needed
to
establish
a
communication
session
between
the
Java
application
and
the
Tivoli
Access
Manager
policy
server.
Both
user
ID
and
password-based
and
certificate-based
authentication
are
supported
by
this
class.
Multiple
PDContext
objects
can
be
created
and
used
within
the
same
Java
virtual
machine
(JVM).
PDDomain
This
class
represents
a
Tivoli
Access
Manager
policy
server
domain.
PDUser
This
class
represents
a
user
in
the
Tivoli
Access
Manager
policy
server.
PDGroup
This
class
represents
a
group
in
the
Tivoli
Access
Manager
policy
server.
©
Copyright
IBM
Corp.
2002,
2003
9
PDPolicy
This
class
represents
the
policy
information
that
is
associated
with
a
particular
Tivoli
Access
Manager
user
or,
in
the
case
of
the
global
policy,
that
is
associated
with
all
users.
The
PDPolicy
class
is
used
to
set
and
retrieve
account
policy
information
from
the
user
registry
on
a
global
or
per-user
basis.
PDAcl
This
class
represents
an
access
control
list
(ACL),
which
in
turn
consists
of
a
list
of
ACL
entries.
PDAclEntry
This
class
represents
an
entry
in
an
ACL.
PDAclEntryUser
This
class
represents
a
user
ACL
entry
and
controls
access
for
a
particular
user.
PDAclEntryGroup
This
class
represents
a
group
ACL
entry
and
controls
access
for
all
members
in
a
group.
PDAclEntryAnyOther
This
class
represents
the
any-other,
or
any-other
authenticated,
entry
in
an
ACL.
This
ACL
entry
is
applied
to
any
user
that
has
been
authenticated
into
the
Tivoli
Access
Manager
secure
domain
but
is
not
included
in
a
separate
user
or
group
ACL
entry.
PDAclEntryUnAuth
This
class
represents
the
unauthenticated
user
ACL
entry.
This
ACL
entry
is
applied
to
any
user
that
has
not
been
authenticated
by
Tivoli
Access
Manager.
PDProtObject
This
class
represents
a
protected
object.
A
protected
object
represents
a
resource
that
is
to
be
protected,
and
it
has
an
ACL
associated
with
it.
Each
protected
object
is
uniquely
identified
by
an
ID.
PDProtObjectSpace
This
class
represents
the
protected
object
space
object.
An
object
space
is
a
logical
grouping
of
protected
objects
representing
a
set
of
related
resources
to
be
protected.
Each
object
space
is
uniquely
identified
by
an
ID.
PDPop
This
class
represents
a
protected
object
policy,
or
POP,
which
can
be
attached
to
a
PDProtObject
object.
PDAdmSvcPobj
This
class
represents
the
value
of
a
Tivoli
Access
Manager
administration
service
protected
object.
PDAction
This
class
represents
a
given
permission.
PDActionGroup
This
class
represents
a
collection
of
PDAction
objects.
PDRgyGroupName
This
class
represents
the
name
of
an
Tivoli
Access
Manager
group
in
the
underlying
user
registry.
PDRgyUserName
This
class
represents
the
name
of
an
Tivoli
Access
Manager
user
in
the
underlying
user
registry.
10
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
PDRgyName
This
class
represents
the
name
of
an
Tivoli
Access
Manager
object
in
the
underlying
user
registry.
This
object
is
either
an
Tivoli
Access
Manager
user
name
or
group
name.
PDAppSvrSpecLocal
This
class
represents
configuration
information
for
a
local
Java
application
server.
PDAppSvrSpecRemote
This
class
represents
configuration
information
for
a
remote
Java
application
server.
PDSvrInfo
This
class
represents
a
Tivoli
Access
Manager
policy
server
or
authorization
server
and
is
used
when
creating
or
changing
the
configuration
for
a
Java
application
server.
PDAppSvrInfo
This
class
represents
a
read-only
view
of
a
Java
application
server’s
configuration
information.
PDServer
This
class
represents
a
Tivoli
Access
Manager
policy
server,
authorization
server,
or
other
application
server.
PDSSOResource
This
class
represents
a
single
signon
(SSO)
resource.
PDSSOResourceGroup
This
class
represents
a
single
signon
(SSO)
resource
group.
PDSSOCred.CredID
This
class
represents
the
credential
identification
information
for
each
member
of
the
list
returned
by
the
PDSSOCred.listSSOCreds
method.
PDSSOCred.CredInfo
This
class
represents
the
credential
information
for
each
member
of
the
list
returned
by
the
PDSSOCred.listAndShowSSOCreds
method.
PDException
This
class
creates
an
exception
to
reflect
that
an
error
or
other
exceptional
condition
has
occurred.
PDMessage
This
class
represents
a
single
Tivoli
Access
Manager
message
and
includes
the
message
code,
severity,
and
the
localized
message
text.
PDMessages
This
class
represents
a
list
of
one
or
more
Tivoli
Access
Manager
messages.
The
methods
associated
with
these
classes
are
thread-safe.
Common
classes
The
following
classes
are
used
for
both
administration
and
authorization
methods.
PDAttrs
This
class
represents
a
list
of
Tivoli
Access
Manager
attributes.
PDAttrValue
This
class
represents
the
value
of
a
Tivoli
Access
Manager
attribute.
Chapter
2.
Using
the
administration
API
11
PDAttrValues
This
class
represents
a
collection
of
values
for
a
particular
attribute
that
is
unordered
and
that
does
not
allow
duplicates.
PDAttrValueList
This
class
represents
a
collection
of
values
for
a
particular
attribute
that
is
ordered
and
allows
duplicates.
Initializing
the
administration
API
Before
using
the
administration
API
in
a
Java
application,
the
PDAdmin
object
must
be
initialized.
This
is
accomplished
by
calling
the
PDAdmin.initialize()
method,
as
shown
in
Figure
2,
passing
the
name
of
the
application
and
a
PDMessages
object.
Messages
are
described
in
more
detail
in
“Messages”
on
page
17.
Establishing
a
security
context
After
initializing
the
administration
API,
you
must
create
an
SSL
connection
between
the
Java
application
and
the
Tivoli
Access
Manager
policy
server.
This
connection
is
referred
to
as
a
security
context
by
the
administration
API.
The
security
context
provides
for
the
secure
transfer
of
administrative
requests
and
data
between
the
Java
application
and
the
policy
server.
A
security
context
can
be
established
using
either
user
ID
and
password-based
authentication
or
certificate-based
authentication.
In
either
case,
the
security
context
is
represented
by
the
PDContext
object.
Multiple
PDContext
objects
can
be
created
and
used
within
the
same
JVM.
Information
on
Java
authentication
classes
and
methods
can
be
found
in
IBM
Tivoli
Access
Manager
for
e-business
Authorization
Java
Classes
Developer
Reference.
User
ID
and
password-based
authentication
To
establish
a
security
context
using
user
ID
and
password-based
authentication,
you
need
the
following
information:
admin
user
ID
An
Tivoli
Access
Manager
user
ID
with
the
appropriate
administrative
authority,
such
as
sec_master.
admin
password
The
password
associated
with
the
administrator
user
ID.
locale
The
locale
that
is
to
be
used
for
returning
message
data
to
the
application.
When
this
value
is
not
supplied
as
an
input
parameter,
the
PDContext
constructor
uses
the
default
locale.
domain
The
Tivoli
Access
Manager
policy
server
domain
to
which
the
user
will
be
authenticated.
When
this
value
is
not
supplied,
the
domain
is
obtained
PDMessages
messages
=
new
PDMessages();
PDAdmin.initialize("myApplicationName",
messages);
Figure
2.
Initializing
the
administration
API
12
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
from
the
configuration
file
URL.
When
the
configuration
file
URL
does
not
contain
domain
information,
the
local
domain
associated
with
the
Java
Runtime
Environment
is
used.
configuration
file
URL
The
uniform
resource
locator
(URL)
to
the
configuration
file
created
by
the
Java
SvrSslCfg
class.
The
URL
must
use
the
file:///
format.
Note:
Do
not
use
the
svrsslcfg
command
line
interface
to
create
a
configuration
file
that
is
to
be
used
by
a
Java
application.
To
create
the
security
context,
create
a
PDContext
object
as
shown
in
Figure
3.
The
contents
of
the
configuration
file
created
by
the
Java
SvrSslCfg
class
is
not
externalized
and
is
subject
to
change
without
notice
in
future
releases
of
Tivoli
Access
Manager.
Users
should
not
use
the
information
in
the
configuration
file
directly.
Certificate-based
authentication
To
establish
a
security
context
using
certificate-based
authentication,
you
need
the
following
information:
locale
The
locale
that
is
to
be
used
for
returning
message
data
to
the
application.
configuration
file
URL
The
URL
to
the
configuration
file
created
by
the
Java
SvrSslCfg
class.
The
URL
must
use
the
file:///
format.
Note:
Do
not
use
the
svrsslcfg
command
line
interface
to
create
a
configuration
file
that
is
to
be
used
by
a
Java
application.
To
create
the
security
context,
create
a
PDContext
object
as
shown
in
Figure
4
on
page
14.
//
Create
locale
for
US
English
Locale
myLocale
=
new
Locale("ENGLISH",
"US");
/*
Create
a
security
context
using
our
locale.
Need
to
supply
a
user
ID
with
administrative
privileges
in
Access
Manager
(like
sec_master)
along
with
its
password
and
a
URL
of
the
form
file:///
to
the
configuration
file
created
by
the
SvrSslCfg
class.
*/
PDContext
myContext
=
new
PDContext(myLocale,
adminName,
adminPassword,
domain,
configFileURL);
Figure
3.
Creating
a
security
context
using
user
ID
and
password-based
authentication
Chapter
2.
Using
the
administration
API
13
The
contents
of
the
configuration
file
created
by
the
Java
SvrSslCfg
class
is
not
externalized
and
is
subject
to
change
without
notice
in
future
releases
of
Tivoli
Access
Manager.
Users
should
not
use
the
information
in
the
configuration
file
directly.
Manipulating
administration
objects
Each
Java
class
representing
an
administration
object
provides
static
methods
to
create,
list,
modify,
and
delete
objects
stored
on
the
Tivoli
Access
Manager
policy
server.
Changes
to
administration
objects
on
the
policy
server
are
immediately
available
to
other
applications.
The
constructor
of
each
class
can
be
used
to
obtain
a
local
copy
of
a
specific
administration
object.
The
instance
methods
of
the
class
can
then
be
used
to
retrieve
data
from
the
local
object
and
to
modify
both
the
local
copy
of
the
object
and
the
object
stored
on
the
policy
server.
Use
of
the
static
methods
is
recommended
for
command
line
and
batch-oriented
applications
using
the
administration
API.
For
interactive
applications,
the
instance
methods
are
recommended.
Creating
objects
You
can
use
the
administration
API
to
create
Tivoli
Access
Manager
objects
necessary
to
complete
administrative
tasks.
Before
you
create
an
object,
you
need
to
initialize
the
administration
API
and
establish
a
security
context.
To
create
an
object,
use
the
static
creation
method
associated
with
the
administration
object.
For
example,
to
create
an
Tivoli
Access
Manager
user,
you
would
use
the
PDUser.createUser()
static
method.
This
is
illustrated
in
Figure
5
on
page
15.
This
method
results
in
the
Tivoli
Access
Manager
user
being
created
immediately
on
the
policy
server.
//
Create
locale
for
US
English
Locale
myLocale
=
new
Locale("ENGLISH",
"US");
/*
Create
a
security
context
using
certificate-based
authentication.
The
URL
to
the
configuration
file
must
use
the
file:///
format.
The
configuration
file
is
created
by
the
SvrSslCfg
class.
*/
PDContext
myContext
=
new
PDContext(myLocale,
configFileURL);
Figure
4.
Creating
a
security
context
using
certificate-based
authentication
14
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Obtaining
a
local
copy
of
an
object
To
obtain
a
local
copy
of
an
administration
object,
use
the
constructor
for
the
Java
class
representing
the
administration
object.
For
example,
to
get
a
copy
of
the
PDUser
object
representing
a
particular
Tivoli
Access
Manager
user,
you
would
use
the
PDUser
constructor.
This
is
shown
in
Figure
6.
/*------------------------------------------------------------------
*
Create
a
user,
using
the
PDUser.createUser()
static
method,
and
*
assign
the
user
to
a
specific
group.
This
method
sends
a
*
request
to
the
policy
server
to
create
the
user.
*------------------------------------------------------------------
*/
//
Set
up
all
of
the
user’s
attributes
String
name
=
"Stephanie
Luser";
String
firstName
=
"Stephanie";
String
lastName
=
"Luser";
String
password
=
"herpassword";
String
description
=
"Descriptive
text
for
Stephanie
Luser";
String
rgyName
=
"cn="
+
name
+
","
+
rgySuffix;
PDRgyUserName
pdRgyUserName
=
new
PDRgyUserName(rgyName,
firstName,
lastName);
boolean
ssoUser
=
false;
boolean
pwdPolicy
=
true;
ArrayList
groupList
=
new
ArrayList();
groupList.add(groupAdministrativeAssistants);
messages.clear();
PDUser.createUser(mySecurityContext,
name,
pdRgyUserName,
description,
password.toCharArray(),
groupList,
ssoUser,
pwdPolicy,
messages);
Figure
5.
Creating
a
user
/*------------------------------------------------------------------
*
Obtain
a
user
using
the
PDUser
constructor.
*------------------------------------------------------------------
*/
//
Set
up
all
of
the
user’s
attributes
String
name
=
"Zachary
Wommbat";
String
firstName
=
"Zachary";
String
lastName
=
"Wommbat";
String
rgyName
=
"cn="
+
name
+
","
+
rgySuffix;
PDRgyUserName
pdRgyUserName
=
new
PDRgyUserName(rgyName,
firstName,
lastName);
messages.clear()
PDUser
user
=
new
PDUser(mySecurityContext,
pdRgyUserName,
messages);
Figure
6.
Getting
a
local
copy
of
a
PDUser
object
Chapter
2.
Using
the
administration
API
15
After
a
local
copy
of
the
administration
object
is
obtained,
you
can
use
the
instance
methods
on
the
object
to
retrieve
or
set
data
associated
with
the
object.
Note:
After
a
local
copy
of
an
administration
object
is
obtained,
the
object
could
be
changed
on
the
policy
server
by
other
users
using
the
command
line
interface,
the
administration
C
API,
or
the
Java
classes
and
methods.
A
few
instance
methods
are
able
to
detect
inconsistencies
between
data
in
the
local
object
and
data
in
the
policy
server,
but
most
cannot.
It
is
the
responsibility
of
the
user
to
ensure
that
changes
made
to
administration
objects
are
done
in
a
consistent
and
predictable
way
when
using
the
instance
methods.
Reading
object
values
Administration
object
data
can
be
obtained
by
using
the
instance
methods
associated
with
the
administration
object.
To
use
the
instance
methods,
you
must
first
obtain
a
local
copy
of
the
object,
as
outlined
in
“Obtaining
a
local
copy
of
an
object”
on
page
15.
After
obtaining
the
object,
you
can
retrieve
information
about
the
object
by
using
the
instance
methods.
For
example,
to
get
the
description
associated
with
an
Tivoli
Access
Manager
user
from
a
local
copy
of
the
PDUser
object:
userDescription
=
user.getDescription();
Setting
object
values
Administration
object
data
can
be
changed
by
using
the
instance
methods
associated
with
the
administration
object
or
by
using
the
static
methods
associated
with
the
Java
class
representing
the
administration
object.
To
use
the
instance
methods,
you
must
first
obtain
a
local
copy
of
the
object,
as
outlined
in
“Obtaining
a
local
copy
of
an
object”
on
page
15.
After
obtaining
the
object,
you
can
change
information
about
the
object
by
using
the
instance
methods.
For
example,
to
disable
the
account
associated
with
an
Tivoli
Access
Manager
user
from
a
local
copy
of
the
PDUser
object,
use
the
following:
user.setAccountValid(mySecurityContext,
false,
//
Disable
the
account
messages);
The
instance
method
changes
both
the
local
copy
of
the
administration
object
as
well
as
the
object
stored
on
the
policy
server.
To
update
the
PDUser
object
on
the
policy
server,
use
the
static
method:
PDUser.setAccountValid(mySecurityContext,
name,
false,
//
Disable
the
account
messages);
Listing
objects
Some
administrative
tasks
require
the
Java
application
to
obtain
a
list
of
objects.
For
example,
an
administrator
might
need
to
review
the
list
of
existing
users
in
order
to
decide
if
a
new
user
must
be
created.
Table
2
on
page
17
lists
the
appropriate
method
to
use
to
list
objects
based
on
the
Java
class
that
represents
an
administration
object.
16
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Table
2.
Methods
used
to
list
objects
Object
Method
to
list
objects
PDAcl
PDAcl.listAcls
PDGroup
PDGroup.listGroups
PDProtObject
PDProtObject.listProtObjects
PDProtObject.listProtObjectsByAcl
PDProtObjectSpace
PDProtObjectSpace.listProtObjectSpaces
PDUser
PDUser.listUsers
PDDomain
PDDomain.listDomains
PDAuthzRule
PDAuthzRule.listAuthzRules
Deleting
objects
To
delete
an
object,
use
the
static
deletion
method
associated
with
the
administration
object.
For
example,
to
delete
an
Tivoli
Access
Manager
user,
you
would
use
the
PDUser.deleteUser()
static
method.
This
is
illustrated
in
Figure
7.
This
method
results
in
the
Tivoli
Access
Manager
user
being
deleted
immediately
from
the
policy
server.
Messages
All
constructors,
static
methods,
and
instance
methods
have
an
output
parameter
consisting
of
a
PDMessages
object.
In
addition,
exceptions
generated
by
Tivoli
Access
Manager
contain
a
PDMessages
object.
A
PDMessages
object
contains
zero
or
more
PDMessage
objects.
Each
PDMessage
object
represents
a
single
message
and
consists
of
the
following:
Message
code
A
hexadecimal
number
that
uniquely
identifies
the
message.
Message
text
The
localized
text
of
the
message.
Severity
An
indication
of
the
severity
of
the
message:
v
Informational
v
Warning
v
Error
/*------------------------------------------------------------------
*
Delete
a
user
*------------------------------------------------------------------
*/
//
Set
up
all
of
the
user’s
attributes
String
name
=
"Leah
Allen";
messages.clear();
PDUser.deleteUser(mySecurityContext,
name,
true,
messages);
Figure
7.
Deleting
a
user
Chapter
2.
Using
the
administration
API
17
The
message
text
is
localized
based
on
the
PDContext
object
that
is
used
when
the
method
is
invoked
except
in
the
case
of
a
read-only
instance
method
on
a
local
administration
object.
When
using
a
read-only
instance
method,
the
message
text
is
localized
based
on
the
PDContext
object
used
when
the
local
administration
object
was
created.
When
a
method
completes
successfully,
check
the
PDMessages
object
for
any
informational
or
warning
messages
associated
with
the
action
performed.
If
an
error
is
encountered
during
processing,
a
PDException
exception
is
thrown,
which
might
have
messages
associated
with
it.
The
same
PDMessages
object
can
be
used
on
multiple
method
invocations.
Use
the
clear()
method
to
clear
the
contents
of
the
PDMessages
object
between
method
invocations.
The
IBM
Tivoli
Access
Manager
Error
Message
Reference
contains
a
list
of
the
messages
issued
by
Tivoli
Access
Manager
along
with
an
explanation
of
the
message
and
the
suggested
corrective
action.
Messages
are
indexed
by
hexadecimal
and
decimal
message
number,
as
well
as
by
message
identifier.
Handling
errors
All
constructors,
instance
methods,
and
static
methods
throw
a
PDException
exception
when
an
error
or
unexpected
event
occurs.
This
exception
contains
a
PDMessages
object
that
might
contain
one
or
more
PDMessage
objects.
See
“Messages”
on
page
17
for
more
information
about
messages
and
message
handling.
A
PDException
object
also
might
contain
a
wrapped
exception
that
was
thrown
by
another
Java
component.
Information
about
this
wrapped
exception
can
be
obtained
by
using
the
methods
of
the
PDException
object.
The
IBM
Tivoli
Access
Manager
Error
Message
Reference
contains
a
list
of
the
messages
issued
by
Tivoli
Access
Manager
along
with
an
explanation
of
the
message
and
the
suggested
corrective
action.
Shutting
down
the
administration
API
After
using
the
administration
API,
the
PDAdmin
object
must
be
shut
down.
This
is
accomplished
by
calling
the
PDAdmin.shutdown()
method
as
shown
in
Figure
8.
Character-based
data
considerations
Character-based
data,
such
as
user
IDs
and
passwords,
is
stored
and
manipulated
by
the
Java
classes
and
methods
as
strings
of
Unicode
characters.
This
character
data
is
converted
from
Unicode
into
UTF-8
(Universal
Character
Set
Transformation
Format-8)
before
being
sent
to
the
Tivoli
Access
Manager
policy
server
and
stored
in
the
user
registry.
Similarly,
data
from
the
user
registry
and
the
policy
server
is
received
in
UTF-8
and
converted
into
Unicode.
Unicode
and
UTF-8
both
allow
any
character
in
any
locale
to
be
uniquely
represented.
PDAdmin.shutdown(messages);
Figure
8.
Shutting
down
the
administration
API
18
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Chapter
3.
Administering
users
and
groups
The
administration
API
provides
a
collection
of
classes
and
methods
for
administering
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
users
and
groups.
This
chapter
describes
the
tasks
that
those
classes
and
methods
accomplish.
Information
about
Tivoli
Access
Manager
users
and
groups
is
stored
in
the
user
registry.
You
can
use
the
administration
API
to
both
modify
and
access
user
and
group
settings
in
the
user
registry.
In
addition,
the
administration
API
provides
classes
and
methods
to
administer
password
and
account
policy
settings
both
on
a
per
user
and
global
basis.
Tivoli
Access
Manager
provides
the
pdadmin
command
line
interface
(CLI)
that
accomplishes
many
of
the
same
user,
group,
and
policy
administration
tasks.
Application
developers
who
have
previously
used
the
pdadmin
command
to
manage
an
Tivoli
Access
Manager
secure
domain
will
find
the
administration
API
functions
straightforward
to
implement.
This
chapter
contains
the
following
topics:
v
“Administering
users”
v
“Administering
user
information”
on
page
20
v
“Administering
user
account
policies”
on
page
21
v
“Administering
user
password
policies”
on
page
22
v
“Administering
groups”
on
page
23
v
“Administering
group
information”
on
page
24
Administering
users
The
administration
API
provides
classes
and
methods
for
creating,
accessing,
listing,
and
deleting
Tivoli
Access
Manager
user
information
within
the
user
registry.
The
name
of
a
user
is
not
case
sensitive.
Therefore
user,
USER,
User,
and
UsEr
all
refer
to
the
same
Tivoli
Access
Manager
user.
The
PDUser.createUser
method
creates
a
user
in
the
user
registry
used
by
the
Tivoli
Access
Manager
policy
server.
Note:
When
a
user
definition
already
exists
in
the
user
registry,
use
the
PDUser.importUser
method
instead.
The
PDUser.importUser
method
imports
an
existing
user
definition
from
the
user
registry
into
Tivoli
Access
Manager
and
allows
the
user
definition
to
be
managed
by
Tivoli
Access
Manager.
Use
the
PDUser.deleteUser
method
to
delete
a
user
from
Tivoli
Access
Manager.
Table
3
on
page
20
lists
the
user
administration
functions.
©
Copyright
IBM
Corp.
2002,
2003
19
User
registry
difference:
Leading
and
trailing
blanks
in
a
user
name
do
not
make
the
name
unique
when
using
an
LDAP
or
Active
Directory
user
registry.
However,
leading
and
trailing
blanks
do
make
the
user
name
unique
when
using
a
Domino
server
as
a
user
registry.
To
keep
name
processing
consistent
regardless
of
what
user
registry
is
being
used,
do
not
define
user
names
with
leading
or
trailing
blanks.
Table
3.
Administrating
users
Function
Description
PDUser.createUser
Creates
the
specified
user.
PDUser.importUser
Creates
an
Tivoli
Access
Manager
user
by
importing
an
existing
user
from
the
user
registry.
PDUser.deleteUser
Deletes
the
specified
user.
PDUser.listUsers
Lists
Tivoli
Access
Manager
users.
Administering
user
information
The
administration
API
allows
you
to
administer
the
information
associated
with
an
Tivoli
Access
Manager
user.
When
a
user
account
has
been
created
in
the
user
registry,
you
can
set
and
get
different
pieces
of
information
about
the
user.
You
must
create
a
security
context
between
the
calling
application
and
the
Tivoli
Access
Manager
policy
server
before
you
can
access
the
user
registry.
You
can
obtain
the
user
registry
information
for
a
user
object
by
specifying
either
the
Tivoli
Access
Manager
user
name
or
the
user
registry
name.
Table
4
lists
the
methods
available
for
administering
user
information.
Table
4.
Administrating
user
information
Function
Description
PDUser
constructor
Instantiates
a
user
object
for
the
specified
Tivoli
Access
Manager
or
user
registry
name.
PDUser
object.getDescription
Returns
the
user
description.
PDUser
object.getRgyName
Returns
the
user
registry
name
for
the
user.
PDUser
object.getId
Returns
the
name
of
the
object.
PDUser
object.getFirstName
Returns
the
first-name
attribute
for
the
user.
PDUser
object.getLastName
Returns
the
last-name
attribute
for
the
user.
PDUser
object.getPolicy
Returns
the
password
and
account
policy
settings
associated
with
the
user.
PDUser
object.getGroups
Lists
the
groups
in
which
the
user
is
a
member.
PDUser
object.isAccountValid
Returns
the
account-valid
indicator
for
the
user.
PDUser
object.isPDUser
Returns
a
setting
that
indicates
if
this
is
an
Tivoli
Access
Manager
user.
20
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Table
4.
Administrating
user
information
(continued)
Function
Description
PDUser
object.isSSOUser
Returns
a
setting
that
indicates
if
the
user
has
single
signon
capabilities.
PDUser.setDescription
PDUser
object.set
Description
Sets
a
user
description.
PDUser.setAccountValid
PDUser
object.setAccountValid
Enables
or
disables
a
user
account.
PDUser.setSSOUser
PDUser
object.setSSOUser
Enables
or
disables
the
single
signon
capabilities
of
a
user.
PDUser
object.isPasswordValid
Returns
the
enabled
indicator
for
the
user’s
password.
PDUser.setPassword
PDUser
object.setPassword
Sets
a
user’s
password.
PDUser.setPasswordValid
PDUser
object.setPasswordValid
Enables
or
disables
a
user’s
password.
Administering
user
account
policies
You
can
manage
user
access
by
setting
account
policies.
You
can
specify
policies
that
apply
only
to
a
single
user
or
specify
policies
that
apply
for
all
users.
When
a
user’s
account
policy
attribute
is
set
to
a
value
and
enforced,
that
value
always
takes
precedence
over
a
value
set
for
the
general
policy,
regardless
of
which
value
is
more
restrictive.
If
an
account
policy
attribute
for
a
user
is
not
enforced,
then
the
value
set
for
the
general
policy,
if
that
value
is
set
and
enforced,
is
in
effect
for
the
user.
Table
5
describes
the
administration
API
methods
that
you
can
use
to
modify
or
access
account
policies.
Table
5.
Administrating
user
account
policies
Function
Description
PDUser.getUserRgy
Determines
which
type
of
user
registry
is
configured
for
the
Tivoli
Access
Manager
policy
server.
PDPolicy
constructor
Instantiates
a
policy
object
for
a
user,
or
for
all
users
in
the
case
of
the
global
policy.
PDPolicy
object.acctDisableTimeEnforced
Returns
an
indicator
whether
the
account
disable
time
interval
policy
is
enforced.
PDPolicy
object.acctDisableTimeUnlimited
Returns
an
indicator
whether
the
account
disable
time
interval
policy
is
unlimited.
PDPolicy
object.acctExpDateEnforced
Returns
an
indicator
whether
the
account
expiration
date
policy
is
enforced.
PDPolicy
object.acctExpDateUnlimited
Returns
an
indicator
whether
the
account
expiration
date
policy
is
unlimited.
PDPolicy
object.getAcctExpDate
Gets
the
account
expiration
date
for
user
accounts.
PDPolicy
object.getAcctDisableTimeInterval
Gets
the
amount
of
time
to
disable
a
user
account
when
the
maximum
number
of
login
failures
is
exceeded.
Chapter
3.
Administering
users
and
groups
21
Table
5.
Administrating
user
account
policies
(continued)
Function
Description
PDPolicy
object.getMaxFailedLogins
Gets
the
maximum
number
of
failed
logins
allowed
for
user
accounts.
PDPolicy
object.getAccessibleDays
PDPolicy
object.getAccessStartTime
PDPolicy
object.getAccessEndTime
PDPolicy
object.getAccessTimezone
Gets
the
time
of
day
access
policy
for
user
accounts.
PDPolicy
object.maxFailedLoginsEnforced
Returns
an
indicator
whether
the
maximum
failed
login
policy
is
enforced.
PDPolicy.setAcctExpDate
PDPolicy
object.setAcctExpDate
Sets
the
account
expiration
date
for
user
accounts.
PDPolicy.setAcctDisableTime
PDPolicy
object.setAcctDisableTime
Sets
the
amount
of
time
to
disable
a
user
account
when
the
maximum
number
of
login
failures
is
exceeded.
PDPolicy.setMaxFailedLogins
PDPolicy
object.setMaxFailedLogins
Sets
the
maximum
number
of
failed
logins
allowed
for
user
accounts.
PDPolicy.setTodAccess
PDPolicy
object.setTodAccess
Sets
the
time
of
day
access
for
the
account
for
user
accounts.
PDPolicy
object.todAccessEnforced
Returns
an
indicator
whether
the
time-of-day
access
policy
is
enforced.
Administering
user
password
policies
You
can
manage
user
access
by
setting
password
attributes.
You
can
specify
policies
that
apply
only
to
a
single
user
or
specify
policies
that
apply
for
all
users.
When
a
user’s
password
policy
attribute
is
set
to
a
value
and
enforced,
that
value
always
takes
precedence
over
a
value
set
for
the
general
policy,
regardless
of
which
value
is
more
restrictive.
If
a
password
policy
attribute
for
a
user
is
not
enforced,
then
the
value
set
for
the
general
policy,
if
that
value
is
set
and
enforced,
is
in
effect
for
the
user.
Table
6
describes
the
administration
API
methods
that
you
can
use
to
modify
or
access
password
policies.
Table
6.
Administrating
user
password
policies
Function
Description
PDPolicy
constructor
Instantiates
a
policy
object
for
a
user,
or
for
all
users
in
the
case
of
the
global
policy.
PDPolicy
object.getMaxPwdAge
Gets
the
password
expiration
date.
PDPolicy
object.getMaxPwdRepChars
Gets
the
maximum
number
of
repeated
characters
allowed
in
the
password.
PDPolicy
object.getMinPwdAlphas
Gets
the
minimum
number
of
alphabetic
characters
allowed
in
the
password.
PDPolicy
object.getMinPwdLen
Gets
the
minimum
password
length.
PDPolicy
object.getMinPwdNonAlphas
Gets
the
minimum
number
of
nonalphabetic
characters
allowed
in
a
password.
22
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Table
6.
Administrating
user
password
policies
(continued)
Function
Description
PDPolicy
object.maxPwdAgeEnforced
Returns
an
indicator
whether
the
maximum
password
age
policy
is
enforced.
PDPolicy
object.maxPwdRepCharsEnforced
Returns
an
indicator
whether
the
password
maximum
repeated
characters
policy
is
enforced.
PDPolicy
object.minPwdAlphasEnforced
Returns
an
indicator
whether
the
password
minimum
alphabetic
characters
required
policy
is
enforced.
PDPolicy
object.minPwdLenEnforced
Returns
an
indicator
whether
the
minimum
password
length
policy
is
enforced.
PDPolicy
object.minPwdNonAlphasEnforced
Returns
an
indicator
whether
the
password
minimum
non-alphabetic
characters
policy
is
enforced.
PDPolicy
object.pwdSpacesAllowed
Returns
an
indicator
whether
spaces
are
allowed
in
a
password.
PDPolicy.setMaxPwdAge
PDPolicy
object.setMaxPwdAge
Sets
the
password
expiration
date.
PDPolicy.setMaxPwdRepChars
PDPolicy
object.setMaxPwdRepChars
Sets
the
maximum
number
of
repeated
characters
allowed
in
a
password.
PDPolicy.setMinPwdAlphas
PDPolicy
object.setMinPwdAlphas
Sets
the
minimum
number
of
alphabetic
characters
allowed
in
a
password.
PDPolicy.setMinPwdLen
PDPolicy
object.setMinPwdLen
Sets
the
minimum
password
length.
PDPolicy.setMinPwdNonAlphas
PDPolicy
object.setMinPwdNonAlphas
Sets
the
minimum
number
of
nonalphabetic
characters
allowed
in
a
password.
PDPolicy.setPwdSpacesAllowed
PDPolicy
object.setPwdSpacesAllowed
Sets
policy
for
whether
spaces
are
allowed
in
a
password.
Administering
groups
The
administration
API
provides
methods
for
creating,
accessing,
listing,
and
deleting
Tivoli
Access
Manager
group
information
from
the
user
registry.
The
name
of
a
group
is
not
case
sensitive.
Therefore
group,
GROUP,
Group,
and
GrOuP
all
refer
to
the
same
Tivoli
Access
Manager
group.
The
PDGroup.createGroup
method
creates
a
group
in
the
user
registry
used
by
the
Tivoli
Access
Manager
policy
server.
Note:
When
a
group
definition
already
exists
in
the
user
registry,
use
the
PDGroup.importGroup
method
instead.
The
PDGroup.importGroup
method
imports
an
existing
group
definition
from
the
user
registry
into
Tivoli
Access
Manager
and
allows
the
group
definition
to
be
managed
by
Tivoli
Access
Manager.
Chapter
3.
Administering
users
and
groups
23
Table
7
lists
the
group
administration
functions.
Table
7.
Administering
groups
Function
Description
PDGroup.createGroup
Creates
the
specified
group.
PDGroup.importGroup
Creates
an
Tivoli
Access
Manager
group
by
importing
an
existing
group
from
the
user
registry.
PDGroup.deleteGroup
Deletes
the
specified
group.
PDGroup.listGroups
Lists
Tivoli
Access
Manager
groups.
Administering
group
information
The
administration
API
enables
you
to
administer
information
associated
with
a
group.
When
a
group
has
been
created
in
the
user
registry,
you
can
set
and
get
different
pieces
of
information
about
the
group.
You
must
create
a
security
context
between
the
calling
application
and
the
Tivoli
Access
Manager
policy
server
before
you
can
access
the
user
registry.
You
can
obtain
the
user
registry
information
for
a
group
object
by
specifying
either
the
Tivoli
Access
Manager
group
name
or
the
user
registry
group
name.
Table
8
lists
the
group
information
administration
functions.
Table
8.
Administering
group
attributes
Function
Description
PDGroup
constructor
Instantiates
a
group
object
for
the
specified
Tivoli
Access
Manager
or
user
registry
name.
PDGroup
object.getDescription
Returns
the
group
description.
PDGroup
object.getRgyName
Returns
the
user
registry
name
for
the
group.
PDGroup
object.getId
Returns
the
Tivoli
Access
Manager
name
for
the
group.
PDGroup
object.isPDGroup
Returns
an
indicator
whether
the
object
is
an
Tivoli
Access
Manager
group.
PDGroup.setDescription
PDGroup
object.setDescription
Sets
a
group
description.
PDGroup
object.getMembers
Lists
the
members
of
a
group.
PDGroup.addMembers
PDGroup
object.addMembers
Adds
users
to
a
group.
PDGroup.removeMembers
PDGroup
object.removeMembers
Removes
users
from
a
group.
24
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Chapter
4.
Administering
protected
objects
and
protected
object
spaces
You
can
use
the
administration
API
to
create,
modify,
examine,
list,
and
delete
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
protected
objects.
These
protected
objects
represent
resources
that
must
be
secured
to
enforce
your
security
policy.
You
can
specify
the
security
policy
by
applying
access
control
lists
(ACLs),
protected
object
policies
(POPs),
and
authorization
rules
to
the
protected
objects.
Tivoli
Access
Manager
protected
objects
exist
within
a
virtual
hierarchy
known
as
a
protected
object
space.
Tivoli
Access
Manager
provides
several
protected
object
spaces
by
default.
You
can
use
the
administration
API
to
define
new
regions
of
the
protected
object
space
and
to
define
and
secure
resources
that
are
specific
to
a
third-party
application.
This
chapter
describes
the
administration
API
functions
that
you
can
use
to
administer
protected
object
spaces
and
protected
objects.
You
must
be
familiar
with
protected
objects
before
using
the
administration
API.
For
an
introduction
to
protected
objects,
see
the
chapter
about
managing
protected
objects
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
For
an
introduction
to
the
use
of
ACLs,
POPs,
and
authorization
rules
to
secure
protected
objects,
see
the
chapters
about
using
access
control
policies,
protected
object
policies,
and
authorization
rules
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
This
chapter
contains
the
following
topics:
v
“Administering
protected
object
spaces”
v
“Administering
protected
objects”
on
page
26
v
“Administering
protected
object
attributes”
on
page
27
Administering
protected
object
spaces
You
can
use
the
administration
API
to
create
and
administer
a
user-defined
protected
object
space.
You
can
use
this
protected
object
space
to
define
a
resource
hierarchy
that
is
specific
to
a
third-party
application
that
uses
Tivoli
Access
Manager
authorization
services
to
enforce
a
security
policy.
User-defined
object
spaces
created
with
the
administration
API
are
dynamic
because
they
can
be
updated
while
Tivoli
Access
Manager
is
running.
Table
9
on
page
26
lists
the
methods
available
for
administering
protected
object
spaces.
Note:
For
an
introduction
to
the
creation
of
protected
object
spaces,
see
the
protected
object
space
information
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
©
Copyright
IBM
Corp.
2002,
2003
25
Table
9.
Administering
protected
object
spaces
Function
Description
PDProtObjectSpace.createProtObjectSpace
Creates
an
Tivoli
Access
Manager
protected
object
space.
PDProtObjectSpace.deleteProtObjectSpace
Deletes
the
specified
Tivoli
Access
Manager
protected
object
space.
PDProtObjectSpace.listProtObjectSpaces
Lists
the
Tivoli
Access
Manager
protected
object
spaces.
Administering
protected
objects
Define
protected
objects
that
reflect
the
resources
that
your
security
policy
protects.
The
name
of
a
protected
object
can
be
of
any
length
and
contain
any
character.
However,
the
forward
slash
(/)
character
is
interpreted
to
be
part
of
the
object
hierarchy,
which
allows
ACLs
to
be
attached
at
the
various
points
indicated
by
the
forward
slash
character.
After
you
create
a
protected
object,
you
can
specify
a
security
policy
for
it
by
defining
and
attaching
ACLs,
POPs,
authorization
rules,
or
any
combination
of
these
entities.
For
more
information
about
these
Tivoli
Access
Manager
security
concepts,
see
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
Use
caution
when
implementing
protected
objects
programmatically.
In
many
cases,
the
protected
object
hierarchy
is
manually
designed,
built,
and
tested
by
a
security
expert.
Carefully
review
the
hierarchy
to
ensure
that
the
security
policy
is
correctly
enforced.
If
you
choose
to
build
protected
object
hierarchies
programmatically,
be
sure
to
test
and
review
the
settings
for
each
object
before
deploying
the
security
environment.
Table
10
lists
the
methods
available
to
administer
protected
objects.
Table
10.
Administering
protected
objects
Function
Description
PDProtObject.attachAcl
PDProtObject
object.attachACL
Attaches
the
specified
access
control
list
to
the
specified
protected
object.
PDProtObject.attachPop
PDProtObject
object.attachPop
Attaches
a
POP
to
the
specified
protected
object.
PDProtObject.attachAuthzRule
PDProtObj
object.attachAuthzRule
Attaches
an
authorization
rule
to
the
specified
protected
object.
PDProtObject.createProtObject
Creates
a
Tivoli
Access
Manager
protected
object.
PDProtObject.deleteProtObject
Deletes
the
specified
Tivoli
Access
Manager
protected
object.
PDProtObject.detachAcl
PDProtObject
object.detachAcl
Detaches
the
access
control
list
from
the
specified
protected
object.
PDProtObject.detachPop
PDProtObject
object.detachPop
Detaches
a
POP
from
the
specified
protected
object.
PDProtObject.detachAuthzRule
PDProtObj
object.detachAuthzRule
Detaches
an
authorization
rule
from
the
specified
protected
object.
26
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Table
10.
Administering
protected
objects
(continued)
Function
Description
PDProtObject
constructor
Instantiates
the
specified
protected
object.
PDProtObject
object.getAclId
Gets
the
name
of
the
ACL
attached
to
the
specified
protected
object.
PDProtObject
object.getEffectiveAclId
Gets
the
name
of
the
ACL
in
effect
for
the
specified
protected
object.
PDProtObject
object.getPopId
Gets
the
name
of
the
POP
attached
to
the
specified
protected
object.
PDProtObject
object.getEffectivePopId
Gets
the
name
of
the
POP
in
effect
for
the
specified
protected
object.
PDProtObj
object.getAuthzRuleId
Gets
the
name
of
the
authorization
rule
object
that
is
attached
to
the
specified
protected
object.
PDProtObj
object.getEffectiveAuthzRuleId
Gets
the
name
of
the
authorization
rule
object
that
is
in
effect
for
the
specified
protected
object.
PDProtObject
object.getDescription
Gets
the
description
of
the
specified
protected
object.
PDProtObject
object.getId
Gets
the
name
of
the
specified
protected
object.
PDProtObject
object.isPolicyAttachable
Indicates
whether
a
protected
object
policy
or
access
control
list
can
be
attached
to
the
specified
protected
object.
PDProtObject
object.exists
Indicates
whether
a
protected
object
exists.
PDProtObject
object.access
Indicates
whether
a
specific
action
to
a
specific
object
is
permitted.
PDProtObject
object.multiAccess
Indicates
whether
the
specified
actions
to
the
specified
objects
are
permitted.
PDProtObject.listProtObjectsByPop
Returns
a
list
of
protected
objects
that
have
the
specified
protected
object
policy
(POP)
attached.
PDProtObject.listProtObjects
Returns
the
protected
objects
contained
under
the
specified
directory.
PDProtObject.listProtObjectsByAcl
Returns
a
list
of
protected
objects
that
have
the
specified
access
control
list
attached.
PDProtObject.setDescription
PDProtObject
object.setDescription
Sets
the
description
field
of
the
specified
protected
object.
PDProtObject.setPolicyAttachable
PDProtObject
object.setPolicyAttachable
Sets
whether
a
protected
object
policy
or
access
control
list
can
be
attached
to
the
specified
protected
object.
PDProtObj.listProtObjectsByAuthzRule
Lists
the
protected
objects
that
have
the
specified
authorization
rule
attached.
Administering
protected
object
attributes
The
attributes
for
a
protected
object
can
be
created,
set,
queried,
and
deleted.
Chapter
4.
Administering
protected
objects
and
protected
object
spaces
27
Table
11
describes
the
methods
for
administering
protected
object
attributes.
Table
11.
Administering
protected
object
attributes
Function
Description
PDProtObject.deleteAttribute
PDProtObject
object.deleteAttribute
Deletes
the
specified
extended
attribute
(name
and
values)
from
the
specified
protected
object.
PDProtObject.deleteAttributeValue
PDProtObject
object.deleteAttributeValue
Deletes
the
specified
value
from
the
specified
extended
attribute
key
in
the
specified
protected
object.
PDProtObject
object.getAttributeValues
Returns
the
values
associated
with
the
specified
extended
attribute
for
the
specified
protected
object.
PDProtObject
object.getAttributeNames
Lists
all
the
extended
attributes
associated
with
the
specified
protected
object.
PDProtObject.setAttributeValue
PDProtObject
object.setAttributeValue
Creates
an
extended
attribute
with
the
specified
name
and
value,
if
it
does
not
already
exist,
and
adds
the
attribute
to
the
specified
protected
object.
If
the
attribute
specified
already
exists,
the
specified
value
is
added
to
the
existing
attribute.
28
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Chapter
5.
Administering
access
control
You
can
use
the
administration
API
to
create,
modify,
examine,
list,
and
delete
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
access
control
lists
(ACLs).
You
can
also
use
the
administration
API
to
attach
ACLs
to
Tivoli
Access
Manager
protected
objects
and
to
detach
ACLs
from
protected
objects.
Each
ACL
might
contain
entries
for
specific
users
and
groups.
You
can
use
the
administration
API
to
set
ACL
entries
for
users
and
groups
that
already
exist
in
the
Tivoli
Access
Manager
secure
domain.
You
also
can
use
the
administration
API
to
set
ACL
entries
for
the
default
user
categories
any-other
and
unauthenticated.
ACL
entries
consist
of
one
or
more
permissions.
These
permissions
specify
actions
that
the
owner
of
the
entry
is
allowed
to
perform.
Tivoli
Access
Manager
provides
a
number
of
default
permissions.
You
can
use
the
administration
API
to
define
additional
extended
actions.
You
also
can
use
the
administration
API
to
group
the
extended
actions
into
action
groups.
Understand
the
construction
and
use
of
ACLs
before
using
the
administration
API
ACL
functions.
The
proper
use
of
ACLs
is
key
to
successfully
implementing
a
security
policy.
For
more
information,
see
the
chapter
about
using
access
control
lists
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
This
chapter
contains
the
following
topics:
v
“Administering
access
control
lists”
v
“Administering
access
control
list
entries”
on
page
30
v
“Administering
access
control
list
extended
attributes”
on
page
32
v
“Administering
extended
actions”
on
page
33
v
“Administering
action
groups”
on
page
32
Administering
access
control
lists
ACLs
enable
you
to
grant
or
restrict
specific
users
and
groups
access
to
protected
resources.
The
administration
API
enables
you
to:
v
Create
and
delete
ACLs
v
Retrieve
or
change
information
associated
with
an
ACL
v
List
the
user,
group,
any-other,
and
unauthenticated
entries
that
are
included
in
the
ACL
v
List
all
defined
ACLs.
The
name
of
an
ACL
can
be
of
any
length.
The
following
characters
are
allowed
in
an
ACL
name:
v
Alphanumeric
characters
defined
in
the
locale
v
The
underscore
(_)
character
v
The
hyphen
(-)
character
You
specify
the
user
entries
that
belong
in
each
ACL.
You
also
specify
the
permissions
or
actions
that
each
user
is
allowed
to
perform.
©
Copyright
IBM
Corp.
2002,
2003
29
You
can
specify
permissions
or
actions
based
on
group
membership,
rather
than
individual
user
identity,
to
expedite
administration
tasks.
The
administration
API
defines
the
PDAcl
object
to
contain
a
retrieved
ACL.
You
can
use
administration
API
classes
and
methods
to
extract
information
from
the
PDAcl
object.
Be
sure
that
you
understand
how
to
define
an
ACL
policy
before
using
the
administration
API
ACL
methods.
For
more
information,
see
the
section
about
ACL
entry
syntax
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
Table
12
describes
the
methods
for
administering
ACLs.
Table
12.
Administering
access
control
lists
Function
Description
PDAcl.createAcl
Creates
a
new
ACL.
PDAcl.deleteAcl
Deletes
the
specified
ACL.
PDAcl
constructor
Instantiates
the
specified
ACL.
PDAcl
object.getDescription
Returns
the
description
of
the
specified
ACL.
PDAcl
object.getId
Returns
the
name
of
the
specified
ACL.
PDAcl.listAcls
Returns
the
names
of
all
the
defined
ACLs.
PDAcl.setDescription
PDAcl
object.setDescription
Sets
or
modifies
the
description
for
the
specified
ACL.
Administering
access
control
list
entries
You
must
create
an
ACL
object
before
you
can
administer
ACL
entries
for
the
object.
The
administration
API
can
be
used
to
specify
entries
for
each
of
the
following
ACL
entry
types:
v
Users
v
Groups
v
User
any-other
(also
known
as
any-authenticated)
v
User
unauthenticated
PDAclEntryUser
An
ACL
entry
that
applies
to
a
particular
user.
PDAclEntryGroup
An
ACL
entry
that
applies
to
all
members
of
a
particular
group.
PDAclEntryAnyOther
The
ACL
entry
that
applies
to
any
other
authenticated
users.
Any
user
that
has
been
authenticated
into
the
Tivoli
Access
Manager
secure
domain,
but
is
not
covered
by
a
separate
user
or
group
entry
in
the
access
control
list,
is
allowed
the
permissions
specified
by
this
ACL
entry.
PDAclEntryUnAuth
The
ACL
entry
that
applies
to
unauthenticated
users.
Any
user
that
has
not
been
authenticated
is
allowed
the
permissions
specified
by
this
ACL
entry.
30
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Be
sure
that
you
understand
ACL
entry
syntax,
ACL
entry
types,
and
ACL
permission
(action)
attributes
before
you
use
the
administration
API
methods
in
this
section.
Tivoli
Access
Manager
supports
18
default
actions.
For
a
list
of
the
default
Tivoli
Access
Manager
actions,
see
the
section
about
default
Tivoli
Access
Manager
permissions
for
actions
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
For
more
information,
see
the
section
about
ACL
entry
syntax
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
Table
13
lists
the
methods
for
administering
ACL
entries.
Table
13.
Administering
access
control
list
entries
Function
Description
PDAcl
object.getPDAclEntryAnyOther
Returns
the
PDAclEntryAnyOther
object
associated
with
the
ACL.
PDAcl
object.getPDAclEntryUnAuth
Returns
the
PDAclEntryUnAuth
object
associated
with
the
ACL.
PDAcl
object.getPDAclEntriesUser
Returns
a
Java
HashMap
of
the
PDAclEntryUser
objects
associated
with
the
ACL.
PDAcl
object.getPDAclEntriesGroup
Returns
a
Java
HashMap
of
the
PDAclEntryGroup
objects
associated
with
the
ACL.
PDAcl.removePDAclEntryAnyOther
PDAcl
object.removePDAclEntryAnyOther
Removes
the
ACL
entry
for
the
any-other
user
from
the
specified
ACL.
PDAcl.removePDAclEntryGroup
PDAcl
object.removePDAclEntryGroup
Removes
the
ACL
entry
for
the
specified
group
from
the
specified
ACL.
PDAcl.removePDAclEntryUnAuth
PDAcl
object.removePDAclEntryUnAuth
Removes
the
ACL
entry
for
the
unauthenticated
user
from
the
specified
ACL.
PDAcl.removePDAclEntryUser
PDAcl
object.removePDAclEntryUser
Removes
the
ACL
entry
for
the
specified
user
from
the
specified
ACL.
PDAcl.setPDAclEntryAnyOther
PDAcl
object.setPDAclEntryAnyOther
Sets
or
modifies
the
ACL
entry
for
the
any-other
user
in
the
ACL.
Call
this
function
to
specify
permissions
for
all
authenticated
users
that
do
not
have
a
separate
user
or
group
entry
in
the
specified
ACL.
PDAcl.setPDAclEntryGroup
PDAcl
object.setPDAclEntryGroup
Sets
or
modifies
the
ACL
entry
for
the
specified
group
in
the
specified
ACL.
PDAcl.setPDAclEntryUnAuth
PDAcl
object.setPDAclEntryUnAuth
Sets
the
ACL
entry
for
the
unauthenticated
user
in
the
specified
ACL.
Call
this
function
to
specify
permissions
for
those
users
that
have
not
been
authenticated.
PDAcl.setPDAclEntryUser
PDAcl
object.setPDAclEntryUser
Sets
the
entry
for
the
specified
user
in
the
specified
ACL.
Use
this
to
specify
the
actions
that
a
user
is
permitted
to
perform.
Chapter
5.
Administering
access
control
31
Administering
access
control
list
extended
attributes
Extended
attributes
for
an
ACL
can
be
obtained,
set,
and
deleted.
Table
14
lists
the
methods
available
for
administering
ACL
extended
attributes.
Table
14.
Administering
access
control
list
extended
attributes
Function
Description
PDAcl.deleteAttribute
PDAcl
object.deleteAttribute
Deletes
the
specified
extended
attribute
key
from
the
specified
ACL.
PDAcl.deleteAttributeValue
PDAcl
object.deleteAttributeValue
Deletes
the
specified
value
from
the
specified
extended
attribute
key
in
the
specified
ACL.
PDAcl
object.getAttributeValues
Gets
the
extended
attribute
values
for
the
specified
extended
attribute
key
from
the
specified
ACL.
PDAcl
object.getAttributeNames
Lists
the
extended
attribute
keys
associated
with
the
specified
ACL.
PDAcl.setAttributeValue
PDAcl
object.setAttributeValue
Creates
an
extended
attribute
with
the
specified
name
and
value,
if
it
does
not
already
exist,
and
adds
the
attribute
to
the
specified
ACL.
If
the
attribute
specified
already
exists,
the
specified
value
is
added
to
the
existing
attribute.
Administering
action
groups
You
can
use
the
administration
API
to
create,
examine,
and
delete
new
action
groups.
Each
action
group
can
contain
up
to
32
actions.
The
default
action
group,
referred
to
as
the
primary
action
group,
contains
the
18
predefined
Tivoli
Access
Manager
actions.
Thus,
you
can
create
up
to
14
new
actions
to
the
primary
group.
When
you
need
to
create
more
than
32
actions,
you
can
use
the
administration
API
to
define
a
new
action
group.
Tivoli
Access
Manager
supports
up
to
32
action
groups.
For
more
information
about
action
groups,
see
the
section
about
creating
extended
ACL
actions
and
action
groups
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
Table
15
lists
the
methods
for
administering
action
groups.
Table
15.
Administering
action
groups
Function
Description
PDActionGroup.createActionGroup
Creates
a
new
action
group
with
the
specified
name.
PDActionGroup.deleteActionGroup
Deletes
the
specified
action
group
and
all
the
actions
that
belong
to
the
specified
group.
PDActionGroup.listActionGroups
Lists
all
the
defined
action
group
names.
32
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Administering
extended
actions
Tivoli
Access
Manager
provides
a
default
set
of
actions
(permissions)
that
belong
to
the
primary
action
group
that
can
be
granted
to
users
or
groups.
You
can
use
the
administration
API
to
define
new,
extended
actions
that
supplement
the
set
of
default
actions.
Each
of
the
extended
actions
can
belong
to
the
primary
action
group
or
to
a
custom
action
group.
Extended
actions
are
typically
defined
to
support
actions
that
are
specific
to
a
third-party
application.
For
more
information
about
extended
actions,
see
the
section
about
creating
extended
ACL
actions
and
action
groups
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
Table
16
lists
the
methods
for
administering
extended
actions.
Table
16.
Administering
extended
actions
Function
Description
PDAction.createAction
Defines
a
new
action
(permission)in
the
specified
action
group.
PDAction.deleteAction
Deletes
an
action
(permission)
from
the
specified
action
group.
PDAction
constructor
Gets
the
specified
PDAction
object.
PDAction
object.getDescription
Returns
the
description
for
the
specified
action.
PDAction
object.getId
Returns
the
name
for
the
specified
action.
PDAction
object.getType
Returns
the
type
for
the
specified
action.
PDAction.listActions
Lists
all
the
defined
actions
(permissions)
for
the
specified
action
group.
Chapter
5.
Administering
access
control
33
Chapter
6.
Administering
protected
object
policies
You
can
use
the
administration
API
to
create,
modify,
examine,
and
delete
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
protected
object
policies
(POPs).
You
can
also
use
the
Administration
API
to
attach
or
detach
POPs
from
protected
objects.
You
can
use
POPs
to
impose
additional
conditions
on
operations
that
are
permitted
by
an
access
control
list
(ACL)
policy.
These
additional
conditions
are
enforced
regardless
of
the
user
or
group
identities
specified
in
the
ACL
entries.
Examples
of
additional
conditions
include
the
following:
v
Specifying
the
quality
of
protection
v
Writing
a
report
record
to
the
auditing
service
v
Requiring
an
authentication
strength
level
v
Restricting
access
to
a
specific
time
period
v
Enabling
or
disabling
warning
mode,
which
allows
an
administrator
to
validate
security
policy
Be
sure
that
you
understand
Tivoli
Access
Manager
POPs
before
using
the
administration
API
to
administer
POPs.
For
more
information,
see
the
chapter
about
using
POPs
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
This
chapter
contains
the
following
topics:
v
“Administering
protected
object
policy
objects”
v
“Administering
protected
object
policy
settings”
on
page
36
v
“Administering
protected
object
policy
extended
attributes”
on
page
37
Administering
protected
object
policy
objects
POP
objects
are
administered
in
a
similar
way
to
ACL
policies.
You
can
create
and
configure
a
POP,
and
then
attach
the
POP
to
objects
in
the
protected
object
space.
Table
17
lists
the
methods
for
administering
protected
object
policy
objects.
Table
17.
Administering
protected
object
policy
objects
Function
Description
PDPop.createPop
Creates
a
POP
object
with
the
default
values.
PDPop.deletePop
Deletes
the
specified
POP.
PDPop
object.getDescription
Gets
the
description
of
the
specified
POP.
PDPop
object.getId
Gets
the
name
of
the
specified
POP.
PDProtObject.listProtObjectsByPop
Finds
and
lists
all
protected
objects
that
have
the
specified
POP
attached.
PDPop
constructor
PDProtObject
object.getPop
Gets
the
specified
POP
object.
PDPop.listPops
Lists
all
POP
objects.
©
Copyright
IBM
Corp.
2002,
2003
35
PDPop.IPAuthInfo
object
An
array
of
PDPop.IPAuthInfo
objects
is
passed
as
input
to
the
PDPop.setIPAuthInfo
and
PDPop.removeIPAuthInfo
methods.
Each
PDPop.IPAuthInfo
object
contains
the
following
information:
IP
address
The
IP
address,
in
″%d.%d.%d.%d″
String
format
associated
with
the
credentials
that
are
being
checked.
A
value
of
″0.0.0.0″
indicates
this
setting
is
for
any
other
network
for
which
this
policy
is
not
set
explicitly.
Netmask
The
netmask,
in
″%d.%d.%d.%d″
String
format,
associated
with
the
credentials
that
are
being
checked.
A
value
of
″0.0.0.0″
indicates
this
setting
applies
to
any
other
network
for
which
this
policy
is
not
set
explicitly.
IP
authentication
level
The
IP
authentication
level
of
the
credentials
for
the
specified
IP
address
and
netmask
when
trying
to
access
the
protected
object
to
which
this
POP
is
attached.
Use
the
constant
PDPOP_IPAUTH_LEVEL_FORBIDDEN_ALL_NETWORKS
to
deny
access
from
all
networks.
See
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide
for
more
information
about
IP
authentication
POP
policy.
See
the
Javadoc
for
the
PDPop.IPAuthInfo
object
and
its
associated
methods
for
additional
information.
Administering
protected
object
policy
settings
You
can
use
the
administration
API
to
set,
modify,
or
remove
attributes
in
a
POP.
You
must
create
the
POP
object
before
specifying
POP
settings.
You
can
use
administration
API
functions
to
specify
the
following
POP
attributes:
v
Authentication
levels
v
Quality
of
Protection
(QOP)
requirements
v
Auditing
levels
v
Time
of
day
access
restrictions
v
Warning
mode
settings
Authentication
levels
specify
whether
additional
or
alternative
authentication
is
required
to
access
a
protected
object.
The
additional
authentication
is
also
called
step-up
authentication.
This
means
that
an
additional
authentication
step
is
required,
in
order
to
access
resources
that
require
more
restrictive
access
policies.
When
using
step-up
authentication,
you
can
either
filter
users
based
on
IP
address
or
you
can
specify
step-up
authentication
for
all
users,
regardless
of
IP
address.
For
more
information
about
the
use
of
the
authentication
level
by
WebSEAL,
see
the
section
about
authentication
strength
POP
policy
(step-up)
in
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Developer
Reference.
The
quality
of
protection
(QOP)
level
is
not
enforced
internally
by
Tivoli
Access
Manager.
Applications
that
set
the
quality
of
protection
can
enforce
it.
Audit
levels
specify
what
operations
generate
an
audit
record.
This
value
is
used
internally
by
Tivoli
Access
Manager
and
also
can
be
used
by
applications
to
generate
their
audit
records.
36
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
The
time
of
day
access
setting
is
used
to
control
access
to
a
protected
object
based
on
the
time
when
the
access
occurs.
The
warning
mode
enables
a
security
administrator
to
troubleshoot
the
authorization
policy
set
on
the
protected
object
space.
When
you
set
the
warning
attribute
to
yes,
any
action
is
possible
by
any
user
on
the
object
where
the
POP
is
attached.
Any
access
to
an
object
is
permitted
even
if
the
ACL
policy
attached
to
the
object
is
set
to
deny
this
access.
Audit
records
are
generated
that
capture
the
results
of
all
ACL
policies
with
warning
mode
set
throughout
the
object
space.
The
audit
log
shows
the
outcome
of
an
authorization
decision
as
it
would
have
been
made
if
the
warning
attribute
had
been
set
to
no.
Table
18
lists
the
methods
for
administering
protected
object
policy
settings.
Table
18.
Administering
protected
object
policy
settings
Function
Description
PDPop
object.getIPAuthInfo
Gets
the
IP
authentication
level
information
from
the
specified
POP.
PDPop
object.getAuditLevel
Gets
the
audit
level
for
the
specified
POP.
PDPop
object.getQOP
Gets
the
quality
of
protection
(QOP)
level
for
the
specified
POP.
PDPop
object.getTodAccessInfo
Gets
the
time
of
day
range
for
the
specified
POP.
PDPop
object.getWarningMode
Gets
the
warning
mode
value
from
the
specified
POP.
PDPop.removeIPAuthInfo
PDPop
object.removeIPAuthInfo
Removes
the
specified
IP
authentication
level
information
from
the
specified
POP.
PDPop.setIPAuthInfo
PDPop
object.setIPAuthInfo
Sets
the
IP
authentication
level
information
for
the
specified
POP.
PDPop.setAuditLevel
PDPop
object.setAuditLevel
Sets
the
audit
level
for
the
specified
POP.
PDPop.setDescription
PDPop
object.setDescription
Sets
the
description
of
the
specified
POP.
PDPop.setQOP
PDPop
object.setQOP
Sets
the
quality
of
protection
level
for
the
specified
POP.
PDPop.setTodAccessInfo
PDPop
object.setTodAccessInfo
Sets
the
time
of
day
range
for
the
specified
POP.
PDPop.setWarningMode
PDPop
object.setWarningMode
Sets
the
warning
mode
for
the
specified
POP.
Administering
protected
object
policy
extended
attributes
You
can
use
the
administration
API
to
set,
modify,
or
remove
extended
attributes
in
a
POP.
Table
19
on
page
38
lists
the
methods
for
administering
protected
object
policy
extended
attributes
Chapter
6.
Administering
protected
object
policies
37
Table
19.
Administering
protected
object
policy
extended
attributes
Function
Description
PDPop.deleteAttribute
PDPop
object.deleteAttribute
Deletes
the
specified
extended
attribute
from
the
specified
POP.
PDPop.deleteAttributeValue
PDPop
object.deleteAttributeValue
Deletes
the
specified
value
from
the
specified
extended
attribute
key
in
the
specified
POP.
PDPop
object.getAttributeValues
Gets
the
values
for
the
specified
extended
attribute
from
the
specified
POP.
PDPop
object.getAttributeNames
Lists
the
extended
attributes
associated
with
the
specified
POP.
PDPop.setAttributeValue
PDPop
object.setAttributeValue
Sets
the
value
for
the
specified
extended
attribute
in
the
specified
POP.
38
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Chapter
7.
Administering
authorization
rules
Authorization
rules
are
conditions
or
standards
contained
in
an
authorization
policy
that
are
used
to
make
access
decisions
based
upon
attributes
such
as
user,
application,
and
environment
context.
Authorization
rules
are
defined
to
specify
conditions
that
must
be
met
before
access
to
a
protected
object
is
permitted.
A
rule
is
created
using
a
number
of
boolean
conditions
that
are
based
on
data
supplied
to
the
authorization
engine
within
the
user
credential,
from
the
resource
manager
application,
or
from
the
encompassing
business
environment.
A
Tivoli
Access
Manager
authorization
rule
is
a
policy
type
similar
to
an
access
control
list
(ACL)
or
a
protected
object
policy
(POP).
The
rule
is
stored
as
a
text
rule
within
a
rule
policy
object
and
is
attached
to
a
protected
object
in
the
same
way
and
with
the
same
constraints
as
ACLs
and
POPs.
The
Tivoli
Access
Manager
administration
Java
classes
provide
methods
to
create,
delete,
modify,
list
and
get
authorization
rules.
For
more
information
on
authorization
rules,
see
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
Use
the
methods
shown
in
Table
20
to
administer
authorization
rule
objects.
Table
20.
Administering
authorization
rules
Function
Description
PDAuthzRule.createAuthzRule
Creates
the
specified
authorization
rule
object.
PDAuthzRule.deleteAuthzRule
Deletes
the
specified
authorization
rule
object.
PDAuthzRule
constructor
Instantiates
the
specified
authorization
rule
object.
PDAuthzRule
object.getId
Gets
the
ID
for
the
specified
authorization
rule.
PDAuthzRule
object.getDescription
Gets
the
description
for
the
specified
authorization
rule.
PDAuthzRule
object.getFailReason
Gets
the
fail
reason,
if
any,
for
the
specified
authorization
rule.
PDAuthzRule
object.getRuleText
Gets
the
rule
text
for
the
specified
authorization
rule.
PDAuthzRule.listAuthzRules
Lists
all
of
the
registered
authorization
rules.
PDAuthzRule.setDescription
PDAuthzRule
object.setDescription
Sets
the
description
for
the
specified
authorization
rule.
PDAuthzRule.setRuleText
PDAuthzRule
object.setRuleText
Sets
the
authorization
rule
text.
PDAuthzRule.setFailReason
PDAuthzRule
object.setFailReason
Sets
the
authorization
rule
fail
reason.
©
Copyright
IBM
Corp.
2002,
2003
39
Chapter
8.
Administering
single
signon
resources
You
can
use
the
administration
API
to
administer
resources
that
enable
an
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
user
to
obtain
single
signon
(SSO)
capability
across
more
than
one
Web
server.
This
capability
requires
the
use
of
Tivoli
Access
Manager
WebSEAL
junctions.
You
can
use
the
administration
API
to
create,
modify,
examine,
and
delete
the
following
types
of
resources:
v
Administering
Web
resources
v
Administering
resource
groups
v
Administering
resource
credentials
Be
sure
that
you
understand
Tivoli
Access
Manager
single
signon
support
before
you
use
the
administration
API
to
administer
single
signon
resources.
For
more
information
about
administering
single
signon
capability
across
junctioned
Web
server
resources,
see
the
section
about
user
registry
resource
management
commands
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide
and
the
section
about
using
global
signon
(GSO)
in
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Developer
Reference.
This
chapter
contains
the
following
topics:
v
“Administering
Web
resources”
v
“Administering
resource
groups”
on
page
42
v
“Administering
resource
credentials”
on
page
43
Administering
Web
resources
A
Web
resource
is
a
Web
server
that
serves
as
the
backend
of
an
Tivoli
Access
Manager
WebSEAL
junction.
An
application
on
the
joined
Web
server
can
require
users
to
authenticate
specifically
to
the
application.
The
authentication
information,
such
as
user
name
and
password,
often
differs
from
the
authentication
information
used
by
Tivoli
Access
Manager.
The
junctioned
Web
server
thus
requires
an
authenticated
Tivoli
Access
Manager
user
to
log
in
again,
using
the
user
name
and
password
specific
to
the
application
on
the
joined
Web
server.
You
can
use
the
administration
API
to
configure
Tivoli
Access
Manager
so
that
Tivoli
Access
Manager
users
need
to
authenticate
only
one
time.
You
must
define
a
Web
resource
(server)
and
then
define
a
user-specific
resource
credential
that
contains
user-specific
authentication
information
for
the
Web
resource.
This
section
describes
how
to
create,
modify,
and
delete
Web
resources.
Administration
of
resource
credentials
is
described
in
“Administering
resource
credentials”
on
page
43.
Note:
The
administration
API
does
not
perform
all
WebSEAL
junction
configuration
tasks
through
the
API.
Use
the
pdadmin
commands
to
modify
the
junction
definitions.
For
more
information,
see
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
©
Copyright
IBM
Corp.
2002,
2003
41
Table
21
lists
the
methods
for
administering
Web
resources.
Table
21.
Administering
Web
resources
Function
Description
PDSSOResource.createSSOResource
Creates
a
single
signon
Web
resource.
PDSSOResource.deleteSSOResource
Deletes
the
specified
single
signon
Web
resource.
PDSSOResource
constructor
Instantiates
the
specified
single
signon
Web
resource.
PDSSOResource
object.getDescription
Returns
the
description
of
the
specified
single
signon
Web
resource.
PDSSOResource
object.getId
Returns
the
name
(identifier)
of
the
specified
single
signon
Web
resource.
PDSSOResource.listSSOResources
Returns
a
list
of
all
of
the
single
signon
Web
resource
names.
Administering
resource
groups
A
resource
group
is
a
group
of
Web
servers,
all
of
which
have
been
junctioned
to
an
Tivoli
Access
Manager
WebSEAL
server
and
all
of
which
use
the
same
set
of
user
IDs
and
passwords.
You
can
use
the
administration
API
to
create
resource
groups.
You
can
then
create
a
single
resource
credential
for
all
the
resources
in
the
resource
group.
This
enables
you
to
simplify
the
management
of
Web
resources
by
grouping
similar
Web
resources
into
resource
groups.
You
can
also
use
the
administration
API
to
add
more
Web
resources,
when
necessary,
to
an
existing
resource
group.
Table
22
lists
the
methods
for
administering
resource
groups.
Table
22.
Administering
resource
groups
Function
Description
PDSSOResourceGroup.addSSOResource
PDSSOResourceGroup
object.addSSOResource
Adds
a
single
signon
resource
to
a
single
signon
resource
group.
PDSSOResourceGroup.createSSOResourceGroup
Creates
a
single
signon
group
resource.
PDSSOResourceGroup.deleteSSOResourceGroup
Deletes
a
single
signon
group
resource.
PDSSOResourceGroup
constructor
Instantiates
the
specified
single
signon
group
resource.
PDSSOResourceGroup
object.getDescription
Returns
the
description
of
the
single
signon
group
resource.
PDSSOResourceGroup
object.getId
Returns
the
name
of
the
single
signon
group
resource.
PDSSOResourceGroup
object.getSSOResources
Returns
a
list
of
the
member
single
signon
resource
names
for
the
specified
single
signon
group.
PDSSOResourceGroup.listSSOResourceGroups
Returns
a
list
of
all
of
the
single
signon
group
resource
names.
42
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Table
22.
Administering
resource
groups
(continued)
Function
Description
PDSSOResourceGroup.removeSSOResource
PDSSOResourceGroup
object.removeSSOResource
Removes
a
single
signon
resource
from
the
specified
single
signon
resource
group.
Administering
resource
credentials
A
resource
credential
provides
a
user
ID
and
password
for
a
single
signon
user-specific
resource,
such
as
a
Web
server
or
a
group
of
Web
servers.
The
Web
resource
or
group
of
Web
resources
must
exist
before
you
can
apply
resource
credentials
to
it.
Resource
credential
information
is
stored
in
the
user’s
Tivoli
Access
Manager
entry
in
the
user
registry.
You
can
use
the
administration
API
to
create,
modify,
examine,
and
delete
resource
credentials.
Table
23
lists
the
methods
for
administering
credentials.
Table
23.
Administering
credentials
Function
Description
PDSSOCred.createSSOCred
Creates
a
single
signon
credential.
PDSSOCred.deleteSSOCred
Deletes
a
single
signon
credential.
PDSSOCred
constructor
Instantiates
the
specified
single
signon
credential.
PDSSOCred
object.getResourceName
Returns
the
name
of
the
single
signon
resource
associated
with
this
credential.
PDSSOCred
object.getResourcePassword
Returns
the
password
associated
with
this
single
signon
credential.
PDSSOCred
object.getResourceUser
Returns
the
name
of
the
resource
user
associated
with
the
specified
single
signon
credential.
PDSSOCred
object.getResourceType
Returns
the
type
of
the
single
signon
resource
associated
with
the
specified
single
signon
credential.
PDSSOCred
object.getUser
Returns
the
name
of
the
Tivoli
Access
Manager
user
associated
with
this
single
signon
credential.
PDSSOCred.listAndShowSSOCreds
Returns
the
list
of
single
signon
credentials
for
the
specified
user.
PDSSOCred.listSSOCreds
Returns
the
IDs
(user,
resource,
and
type)
of
the
single
signon
credentials
for
the
specified
user.
This
information
is
a
subset
of
that
returned
by
the
listAndShowSSOCreds
method.
PDSSOCred.setSSOCred
PDSSOCred
object.setSSOCred
Modifies
a
single
signon
credential.
Chapter
8.
Administering
single
signon
resources
43
Chapter
9.
Administering
domains
A
Tivoli
Access
Manager
policy
server
domain
consists
of
all
the
physical
resources
that
require
protection
along
with
the
associated
security
policy
used
to
protect
those
resources.
Any
security
policy
implemented
in
a
domain
affects
only
those
resources
in
that
domain.
Multiple
domains
can
exist
simultaneously
within
a
Tivoli
Access
Manager
installation.
Data
is
securely
partitioned
between
domains.
A
user
or
process
must
authenticate
to
a
specific
domain
in
order
to
access
data
contained
within
it.
Each
Tivoli
Access
Manager
installation
contains
a
single
management
domain.
A
user
must
be
authenticated
to
the
management
domain
in
order
to
create,
delete,
list
or
modify
other
domains.
To
specify
the
management
domain
in
methods
that
take
a
domain
argument,
use
the
PDDomain.getMgmtDomainName
method.
Each
Java
Runtime
Environment
(JRE)
may
optionally
be
configured
to
use
a
specific
domain.
This
domain
is
called
the
local
domain.
To
specify
the
local
domain
in
methods
that
take
a
domain
argument,
use
the
PDDomain.getLocalDomainName
method.
If
a
JRE
has
not
been
configured
to
use
a
specific
domain,
the
local
domain
defaults
to
the
management
domain.
The
Java
classes
provide
methods
that
can
be
used
to
manage
domains.
For
more
information
on
the
management
of
domains,
see
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
Table
24
lists
the
methods
for
administering
domains.
Table
24.
Administering
domains
Function
Description
PDDomain.createDomain
Creates
a
new
Tivoli
Access
Manager
domain.
PDDomain.deleteDomain
Deletes
the
specified
Tivoli
Access
Manager
domain.
PDDomain
constructor
Instantiates
the
specified
domain
object.
PDDomain
object.getDescription
Gets
the
description
for
the
specified
Tivoli
Access
Manager
domain.
PDDomain
object.getId
Gets
the
name
of
the
specified
Tivoli
Access
Manager
domain.
PDDomain.listDomains
Lists
the
names
of
all
the
Tivoli
Access
Manager
domains,
with
the
exception
of
the
management
domain.
PDDomain.getLocalDomainName
Gets
the
name
of
the
local
domain.
PDDomain.getMgmtDomainName
Gets
the
name
of
the
management
domain.
PDDomain.setDescription
PDDomain
object.setDescription
Changes
the
description
for
the
specified
Tivoli
Access
Manager
domain.
©
Copyright
IBM
Corp.
2002,
2003
45
Chapter
10.
Configuring
application
servers
You
can
use
the
administration
API
to
configure
and
unconfigure
authorization
and
administration
API
servers,
modify
configuration
parameters,
administer
replicas,
and
perform
certificate
maintenance.
The
com.tivoli.pd.jcfg.SvrSslCfg
class
is
used
to
perform
the
necessary
configuration
steps
that
allow
an
application
to
use
a
secure
sockets
layer
(SSL)
connection
for
communicating
with
the
policy
server
or
the
authorization
server.
It
is
not
intended
to
do
all
of
the
configuration
that
may
be
required
to
ensure
a
correctly
functioning
application.
For
more
information
about
the
com.tivoli.pd.jcfg.SvrSslCfg
class,
see
the
IBM
Tivoli
Access
Manager
for
e-business
Authorization
Java
Classes
Developer
Reference
This
chapter
contains
the
following
topics:
v
“Configuring
application
servers”
v
“Administering
configuration
information”
v
“Certificate
maintenance”
on
page
48
Configuring
application
servers
Use
the
configuration
commands
to
enable
an
application
server
(an
application
that
uses
the
authorization
or
administration
API)
to
communicate
with
the
policy
server
or
the
authorization
server.
An
administrative
user
identity
(for
example,
sec_master)
and
password
must
be
specified
for
connecting
to
the
policy
server.
Table
25.
Configuring
application
servers
Function
Description
PDAppSvrConfig.configureAppSvr
Configures
an
application
server
by
updating
the
configuration
file
and
creating
the
keystore
file.
PDAppSvrConfig.setAppSvrListening
Sets
or
resets
the
enable-listening
parameter
in
the
configuration
file.
PDAppSvrConfig.setAppSvrDbDir
Sets
the
local
policy
database
directory
in
the
configuration
file.
PDAppSvrConfig.setAppSvrDbRefresh
Sets
the
local
policy
database
database
refresh
interval
in
the
configuration
file
PDAppSvrConfig.setAppSvrPort
Changes
the
listening
port
number
of
the
application
in
the
configuration
file.
PDAppSvrConfig.unconfigureAppSvr
Unconfigures
an
application
server.
Administering
configuration
information
Table
26.
Administering
configuration
information
Function
Description
PDAppSvrConfig.addPDServer
Adds
a
replica
entry
to
the
configuration
file.
PDAppSvrConfig.changePDServer
Changes
parameters
of
a
replica
entry
in
the
configuration
file.
©
Copyright
IBM
Corp.
2002,
2003
47
Table
26.
Administering
configuration
information
(continued)
Function
Description
PDAppSvrConfig.removePDServer
Removes
a
replica
entry
from
the
configuration
file.
PDAppSvrConfig.getPDAppSvrInfo
Returns
a
PDAppSvrInfo
object
containing
information
stored
in
the
configuration
file.
PDAppSvrConfig.getKeystoreURL
Returns
the
URL
of
the
keystore
file
that
is
associated
with
the
configuration
file.
Certificate
maintenance
Only
use
the
replaceAppSvrCert
method
when
the
certificate
has
been
compromised.
Table
27.
Certificate
maintenance
Function
Description
PDAppSvrConfig.replaceAppSvrCert
Replaces
the
server
SSL
certificate.
48
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Chapter
11.
Administering
servers
You
can
use
the
administration
API
to
get
a
list
of
tasks
from
the
server,
send
a
specific
task
to
an
authorization
server,
and
notify
replica
databases,
either
automatically
or
manually,
when
the
master
authorization
database
is
updated.
This
chapter
contains
the
following
topics:
v
Getting
and
performing
administration
tasks
v
Notifying
replica
databases
when
the
master
authorization
database
is
updated
–
Notifying
replica
databases
automatically
–
Notifying
replica
databases
manually
–
Setting
the
maximum
number
of
notification
threads
–
Setting
the
notification
wait
time
Getting
and
performing
administration
tasks
You
can
send
an
administration
task
to
a
server.
You
also
can
request
a
list
of
all
supported
administration
tasks
from
a
server.
The
caller
must
have
credentials
with
sufficient
permission
to
perform
the
task.
For
more
information,
see
the
IBM
Tivoli
Access
Manager
for
e-business
Authorization
C
API
Developer
Reference.
Notifying
replica
databases
when
the
master
authorization
database
is
updated
When
an
administrator
makes
security
policy
changes,
the
policy
server
makes
adjustments
to
the
master
authorization
database
to
reflect
these
changes.
To
ensure
that
these
changes
also
are
dispersed
to
any
authorization
servers
with
replica
databases,
you
can
do
one
or
more
of
the
following:
v
Configure
an
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
application,
such
as
WebSEAL,
to
poll
the
master
authorization
database
at
regular
intervals
for
updates.
By
default,
polling
is
disabled.
For
more
information
about
polling
the
master
authorization
database,
see
the
cache-refresh-interval
option
described
in
the
IBM
Tivoli
Access
Manager
for
e-business
Authorization
C
API
Developer
Reference.
v
Enable
the
policy
server
to
notify
authorization
servers
each
time
that
the
master
authorization
database
is
updated.
This
automatic
process
is
recommended
for
environments
where
database
changes
are
infrequent.
For
more
information,
see
“Notifying
replica
databases
automatically”
on
page
50.
v
Notify
authorization
servers,
on
demand,
after
you
make
updates
to
the
master
authorization
database.
This
manual
process
is
recommended
for
environments
where
database
changes
are
frequent
and
involve
substantial
changes.
For
instructions,
see
“Notifying
replica
databases
manually”
on
page
50.
After
you
select
the
method
that
you
want
to
use
to
update
replica
databases
(automatic,
manual,
or
both),
you
can
fine-tune
settings
in
the
ivmgrd.conf
file
on
the
policy
server.
For
more
information,
see
“Setting
the
maximum
number
of
notification
threads”
on
page
50
and
“Setting
the
notification
wait
time”
on
page
50.
©
Copyright
IBM
Corp.
2002,
2003
49
Notifying
replica
databases
automatically
You
can
enable
the
policy
server
to
send
notifications
to
authorization
servers
each
time
that
the
master
authorization
database
is
updated.
In
turn,
the
authorization
servers
automatically
request
a
database
update
from
the
policy
server.
To
enable
automatic
database
updates,
edit
the
ivmgrd.conf
file
on
the
policy
server
and
add
the
following
attribute=value
pair:
[ivmgrd]
auto-database-update-notify
=
yes
You
must
restart
the
policy
server
for
changes
to
take
effect.
Note
that
this
setting
is
recommended
for
environments
where
the
master
database
is
changed
infrequently.
To
turn
off
automatic
notification,
specify
no.
Notifying
replica
databases
manually
When
the
master
authorization
database
is
updated,
you
can
use
the
PDServer.replicateServer
method
to
send
notification
to
application
servers
that
are
configured
to
receive
database
update
notifications.
You
can
indicate
that
a
specific
server
receive
update
notifications,
or
specify
NULL,
which
notifies
all
configured
authorization
servers
in
the
secure
domain.
If
you
specify
a
server
name,
you
are
notified
whether
the
server
was
replicated
successfully
or
if
a
failure
occurred.
If
you
do
not
specify
a
server
name,
return
codes
indicate
whether
or
not
the
policy
server
started
notifying
authorization
servers
in
your
secure
domain.
Note
that
unless
you
specify
the
server-name
option,
you
are
not
notified
when
an
authorization
server’s
database
was
replicated
successfully.
Setting
the
maximum
number
of
notification
threads
When
the
master
authorization
database
is
updated,
this
update
is
announced
to
replica
databases
through
the
use
of
notification
threads.
Each
replica
then
has
the
responsibility
of
downloading
the
new
data
from
the
master
authorization
database.
You
can
edit
the
ivmgrd.conf
file
to
set
a
value
for
the
maximum
number
of
notification
threads.
This
number
is
calculated
based
on
the
number
of
replica
databases
in
your
secure
domain.
For
example,
if
you
have
10
replica
databases
and
want
to
notify
them
of
master
database
changes
simultaneously,
specify
a
value
of
10
for
the
max-notifier-threads
attribute
as
shown:
[ivmgrd]
max-notifier-threads
=
10
The
default
value
is
10
(threads).
Setting
the
notification
wait
time
There
is
a
time
delay
between
when
the
policy
server
updates
the
master
authorization
database
and
when
notification
is
sent
to
database
replicas.
If
you
added
auto-database-update-notify
=
yes
to
the
ivmgrd.conf
file
as
described
in
“Notifying
replica
databases
automatically”
on
page
50,
you
can
set
this
period
of
time.
To
do
so,
edit
the
notifier-wait-time
value
in
the
ivmgrd.conf
file.
For
example,
if
you
are
making
batch
changes
to
the
master
authorization
database,
it
is
advisable
to
wait
until
all
changes
have
been
made
before
policy
changes
are
sent
to
database
replicas.
Therefore,
you
might
decide
to
increase
the
default
value
from
15
seconds
to
25
seconds
as
shown:
[ivmgrd]
notifier-wait-time
=
25
50
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
By
editing
the
value
for
this
attribute,
the
policy
server
is
prevented
from
sending
individual
replica
notifications
for
each
of
a
series
of
database
changes.
Administrating
servers
and
database
notification
Table
28.
Administrating
servers
and
database
notification
Function
Description
PDServer
constructor
Instantiates
a
server
object.
PDServer
object.getAdminServices
Returns
the
list
of
Administration
Services
registered
by
this
server.
PDServer
object.getDescription
Returns
the
description
of
this
server.
PDServer
object.getHostName
Returns
the
host
name
of
this
server.
PDServer
object.getId
Returns
the
identifier
of
this
server.
PDServer
object.getPort
Returns
the
port
of
this
server.
PDServer
object.getTaskList
Gets
the
list
of
tasks
from
the
server.
PDServer
object.getUserId
Returns
the
user
identifier
of
this
server.
PDServer.listServers
Lists
all
the
registered
servers.
PDServer.performTask
Sends
a
command
to
an
authorization
server.
PDServer.replicateServer
Notifies
authorization
servers
to
receive
database
updates.
Chapter
11.
Administering
servers
51
Appendix
A.
Differences
between
the
C
and
Java
administration
API
If
you
are
familiar
with
the
administration
C
API
described
in
the
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference,
you
should
be
aware
of
several
notable
differences
between
them
and
the
administration
Java
classes
and
methods
described
in
this
document.
In
particular
the
handling
of
security
context
management
and
response
processing
are
different
between
the
two
implementations.
In
addition,
there
are
other
subtle
differences
outlined
in
this
appendix.
Security
context
management
differences
The
ivadmin_context_create3()
function
in
the
C
language
administration
API
creates
a
communication
connection
to
the
Tivoli
Access
Manager
policy
server.
The
context
object
returned
by
this
function
is
tightly
coupled
to
an
actual
Secure
Sockets
Layer
(SSL)
session.
When
the
SSL
session
times
out,
the
user
must
delete
the
context
and
create
a
new
one
in
order
to
re-establish
communication
with
the
policy
server.
Unneeded
contexts
must
be
deleted
on
a
timely
basis
with
ivadmin_context_delete()
to
free
SSL
resources.
This
places
the
onus
on
the
programmer
to
manage
SSL
sessions
through
the
use
of
context
objects
and
the
ivadmin_context_*
APIs.
The
Java
implementation
of
the
context,
using
the
PDContext
object,
hides
the
management
of
the
actual
SSL
sessions
from
the
user.
The
PDContext
object
only
contains
the
information
needed
to
establish
communication
with
the
server:
the
server
location,
the
client’s
authentication
information,
and
the
locale
to
be
used
for
message
translation.
The
PDContext
objects
are
not
tied
to
a
particular
SSL
session.
Instead,
an
SSL
session
is
obtained
when
a
PDContext
object
is
used
in
a
Java
method
invocation.
Tivoli
Access
Manager
manages
the
SSL
sessions
itself
—
creating
them,
pooling
them,
reusing
them,
and
eventually
deleting
them
—
without
any
explicit
context
management
from
the
programmer.
Response
processing
differences
Most
of
the
C
language
administration
API
functions
return
a
boolean
value
indicating
the
overall
success
or
failure
of
the
requested
operation.
They
also
return
an
ivadmin_response
object
as
an
output
parameter.
This
response
object
contains
optional
messages
that
can
be
subsequently
processed
using
the
ivadmin_response_*
functions.
The
Java
language
administration
API
methods
throw
a
PDException
exception
on
failure.
Most
methods
provide
a
PDMessages
output
as
an
output
parameter.
This
object
contains
optional
messages
that
can
be
subsequently
processed
using
the
accessor
methods
provided
in
the
PDMessages
object
class.
Additional
differences
The
following
additional
differences
exist
between
the
C
language
and
Java
language
implementations
of
the
Tivoli
Access
Manager
administration
API.
v
The
method
names
in
the
PDUser
and
PDGroup
classes
are
user
registry
neutral.
The
function
names
provided
in
the
administration
C
APIs
are
©
Copyright
IBM
Corp.
2002,
2003
53
Lightweight
Directory
Access
Protocol
(LDAP)
specific.
This
difference
arises
from
the
continuing
support
of
a
wider
range
of
user
registries
in
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager.)
v
The
user
and
group
names
that
appear
in
the
methods
associated
with
the
PDUser
and
PDGroup
classes
are
structured
to
allow
for
the
possible
future
addition
of
other
user
registries.
v
The
type
field
is
not
supported
in
the
PDProtObject
and
PDProtObjectSpace
classes.
Use
extended
attributes
to
provide
equivalent
function.
This
difference
arises
from
the
confusion
caused
by
the
type
field
on
the
administration
C
APIs
not
being
used
internally
by
Tivoli
SecureWay
Policy
Director
in
the
past.
v
The
administration
Java
classes
and
methods
provide
both
certificate-based
and
user
ID
and
password-based
authentication.
The
administration
C
API
only
provides
user
ID
and
password-based
authentication.
v
The
svrsslcfg
command
line
interface
(CLI)
only
can
be
used
for
applications
written
using
the
administration
C
API.
For
Java
applications,
use
the
com.tivoli.pd.jcfg.SvrSslCfg
Java
class
instead.
v
Policy
information,
such
as
maximum
password
age,
is
encapsulated
in
a
PDPolicy
class
instead
of
being
defined
in
the
user
and
context
objects
as
it
is
in
the
administration
C
API.
The
function
provided
is
the
same
whether
using
the
Java
classes
or
the
C
API.
v
When
using
the
administration
C
APIs,
the
user
must
renegotiate
the
security
context
when
a
session
time
out
occurs.
The
PDContext
class
handles
this
processing
automatically.
v
There
is
no
equivalent
Java
method
for
ivadmin_context_delete().
Managing
security
contexts
is
handled
automatically
by
the
Java
transport
layer.
54
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Appendix
B.
Deprecated
Java
classes
and
methods
The
classes
and
methods
listed
in
Table
29
have
been
deprecated
in
IBM
Tivoli
Access
Manager
Version
5.1.
Existing
Java
applications
should
be
changed
to
use
the
replacement
class
or
method
indicated.
Table
29.
Deprecated
Java
Classes
and
Methods
Deprecated
Class
or
Method
Replacement
Class
or
Method
com.tivoli.mts.PDAttrs
com.tivoli.pd.jutil.PDAttrs
com.tivoli.pd.jutil.PDAttrs.add(java.lang.String,
PDAttrValues)
com.tivoli.pd.jutil.PDAttrs.add(
java.lang.String,
java.util.Collection)
com.tivoli.pd.jutil.PDAttrs.get(
java.lang.String)
com.tivoli.pd.jutil.PDAttrs.getValues(java.lang.String)
com.tivoli.mts.PDAttrValue
com.tivoli.pd.jutil.PDAttrValue
com.tivoli.mts.PDAttrValueList
com.tivoli.pd.jutil.PDAttrValueList
com.tivoli.mts.PDStatics
com.tivoli.pd.jutil.PDStatics
com.tivoli.mts.SvrSslCfg
com.tivoli.pd.jcfg.SvrSslCfg
com.tivoli.pd.PDAppSvrConfig.configureAppSvr(
java.lang.String,
char[],
java.lang.String,
com.tivoli.pd.jadmin.PDAppSvrSpec,
java.net.URL,
java.net.URL,
int,
java.util.Locale,
com.tivoli.pd.jutil.PDMessages)
com.tivoli.pd.PDAppSvrConfig.configureAppSvr(
java.lang.String,
char[],
java.lang.String,
com.tivoli.pd.jadmin.PDAppSvrSpec,
java.net.URL,
java.net.URL,
int,
java.util.Locale,
java.lang.String,
com.tivoli.pd.jutil.PDMessages)
com.tivoli.pd.jadmin.PDProtObject
constructor
(com.tivoli.pd.jutil.PDContext,
java.lang.String,
com.tivoli.mts.PDAttrs,
com.tivoli.mts.PDAttrs,
com.tivoli.pd.jutil.PDMessages)
com.tivoli.pd.jadmin.PDProtObject
constructor
(com.tivoli.pd.jutil.PDContext,
java.lang.String,
com.tivoli.pd.jutil.PDAttrs,
com.tivoli.pd.jutil.PDAttrs,
com.tivoli.pd.jutil.PDMessages)
com.tivoli.pd.jadmin.PDProtObject.createProtObject(
com.tivoli.pd.jutil.PDContext,
java.lang.String,java.lang.String,
boolean
,
java.lang.String
,
com.tivoli.mts.PDAttrs,
com.tivoli.pd.jutil.PDMessages)
com.tivoli.pd.jadmin.PDProtObject.createProtObject(
com.tivoli.pd.jutil.PDContext,
java.lang.String,java.lang.String,
boolean
,
java.lang.String
,
com.tivoli.pd.jutil.PDAttrs,
com.tivoli.pd.jutil.PDMessages)
com.tivoli.pd.jadmin.PDProtObject.listProtectedObjects
(
com.tivoli.pd.jutil.PDContext,
java.lang.String,
com.tivoli.mts.PDAttrs,
com.tivoli.mts.PDAttrs,
com.tivoli.pd.jutil.PDMessages)
com.tivoli.pd.jadmin.PDProtObject.listProtectedObjects
(
com.tivoli.pd.jutil.PDContext,
java.lang.String,
com.tivoli.pd.jutil.PDAttrs,
com.tivoli.pd.jutil.PDAttrs,
com.tivoli.pd.jutil.PDMessages)
com.tivoli.pd.jadmin.PDServer.performTask(
com.tivoli.pd.jutil.PDContext,
java.lang.String,
java.lang.String,
com.tivoli.mts.PDAttrs,
com.tivoli.mts.PDAttrs,
com.tivoli.pd.jutil.PDMessages)
com.tivoli.pd.jadmin.PDServer.performTask(
com.tivoli.pd.jutil.PDContext,
java.lang.String,
java.lang.String,
com.tivoli.pd.jutil.PDAttrs,
com.tivoli.pd.jutil.PDAttrs,
com.tivoli.pd.jutil.PDMessages)
com.tivoli.pd.jadmin.PDServer.getTaskList(
com.tivoli.pd.jutil.PDContext,
java.lang.String,
com.tivoli.mts.PDAttrs,
com.tivoli.mts.PDAttrs,
com.tivoli.pd.jutil.PDMessages)
com.tivoli.pd.jadmin.PDServer.getTaskList(
com.tivoli.pd.jutil.PDContext,
java.lang.String,
com.tivoli.pd.jutil.PDAttrs,
com.tivoli.pd.jutil.PDAttrs,
com.tivoli.pd.jutil.PDMessages)
PDProtObject.getAcl
PDProtObject.getAclId
PDProtObject.getPop
PDProtObject.getPopId
PDProtObject.getAuthzRule
PDProtObject.getAuthzRuleId
©
Copyright
IBM
Corp.
2002,
2003
55
Appendix
C.
User
registry
differences
The
following
user
registry
differences
are
known
to
exist
in
this
version
of
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager.)
1.
When
Tivoli
Access
Manager
is
using
either
Microsoft
Active
Directory
or
a
Lotus
Domino
server
as
its
user
registry,
only
a
single
domain
is
supported.
Use
an
LDAP
user
registry
if
you
wish
to
take
advantage
of
the
multi-domain
support
in
Tivoli
Access
Manager.
2.
Tivoli
Access
Manager
does
not
support
cross
domain
group
membership
or
universal
groups
when
using
Microsoft
Active
Directory
as
its
user
registry.
Importing
such
groups
into
Tivoli
Access
Manager
is
not
supported.
3.
When
the
Tivoli
Access
Manager
policy
server
is
using
either
Microsoft
Active
Directory
or
a
Lotus
Domino
server
as
its
user
registry,
existing
Tivoli
SecureWay
Policy
Director,
Version
3.8
clients
are
not
able
to
connect
to
the
policy
server.
Either
use
a
different
user
registry
or
upgrade
the
clients
to
Tivoli
Access
Manager.
4.
Users
created
in
a
Lotus
Domino
server
or
Microsoft
Active
Directory
user
registry
are
automatically
given
the
capability
to
own
single
signon
credentials
and
this
capability
can
not
be
removed.
When
using
an
LDAP
user
registry,
this
capability
must
be
explicitly
granted
to
a
user
and
subsequently
can
be
removed.
5.
Leading
and
trailing
blanks
in
user
names
and
group
names
are
ignored
when
using
LDAP
or
Microsoft
Active
Directory
as
the
user
registry
in
an
Tivoli
Access
Manager
secure
domain.
However,
when
using
a
Lotus
Domino
server
as
a
user
registry,
leading
and
trailing
blanks
are
significant.
To
ensure
that
processing
is
consistent
regardless
of
what
user
registry
is
being
used,
define
users
and
groups
in
the
user
registry
without
leading
or
trailing
blanks
in
their
names.
6.
The
forward
slash
character
(/)
should
be
avoided
in
user
and
group
names
defined
using
distinguished
name
strings.
The
forward
slash
character
is
treated
differently
in
different
user
registries:
Lotus
Domino
server
Users
and
groups
can
not
be
created
with
names
using
a
distinguished
name
string
containing
a
forward
slash
character.
To
avoid
the
problem,
either
do
not
use
a
forward
slash
character
or
define
the
user
without
using
the
distinguished
name
designation:
pdadmin
user
create
myuser
username/locinfo
test
test
testpwd
instead
of
using
this
one:
pdadmin
user
create
myuser
cn=username/o=locinfo
test
test
testpwd
Microsoft
Active
Directory
Users
and
groups
can
be
created
with
names
using
a
distinguished
name
string
containing
a
forward
slash
character.
However,
subsequent
operations
on
the
object
might
fail
as
some
Active
Directory
functions
interpret
the
forward
slash
character
as
a
separator
between
the
object
name
and
the
host
name.
To
avoid
the
problem,
do
not
use
a
forward
slash
character
to
define
the
user.
7.
When
using
a
multi-domain
Microsoft
Active
Directory
user
registry,
multiple
users
and
groups
can
be
defined
with
the
same
short
name
as
long
as
they
©
Copyright
IBM
Corp.
2002,
2003
57
reside
in
different
domains.
However,
the
full
name
of
the
user
or
group,
including
the
domain
suffix,
must
always
be
specified
to
Tivoli
Access
Manager.
8.
When
using
iPlanet
Version
5.0
as
the
user
registry,
a
user
that
is
created,
added
to
a
group,
and
then
deleted
from
the
user
registry
retains
its
group
membership.
If
a
user
with
the
same
name
is
created
at
some
later
time,
the
new
user
automatically
inherits
the
old
group
membership
and
might
be
given
inappropriate
permissions.
It
is
strongly
recommended
that
the
user
be
removed
from
all
groups
before
the
user
is
deleted.
This
problem
does
not
occur
when
using
the
other
supported
user
registries.
9.
Attempting
to
add
a
single
duplicate
user
to
a
group
does
not
produce
an
error
when
an
LDAP
user
registry
is
being
used.
However,
an
error
is
properly
reflected
when
using
Lotus
Domino
server
or
Microsoft
Active
Directory.
10.
The
Tivoli
Access
Manager
authorization
API
provides
a
credentials
attribute
entitlements
service.
This
service
is
used
to
retrieve
user
attributes
from
a
user
registry.
When
this
service
is
used
with
an
LDAP
user
registry,
the
retrieved
attributes
can
be
either
string
or
binary
data.
However,
when
this
service
is
used
with
a
Microsoft
Active
Directory
or
Lotus
Domino
user
registry,
the
retrieved
attributes
can
be
either
string,
binary
or
integer
data.
11.
The
maximum
lengths
of
various
names
associated
with
Tivoli
Access
Manager
vary
depending
on
the
user
registry
being
used.
See
Table
30
for
a
comparison
of
the
maximum
lengths
allowed
and
the
recommended
maximum
length
to
use
to
ensure
compatibility
with
all
the
user
registries
supported
by
Tivoli
Access
Manager.
Table
30.
Maximum
lengths
for
names
based
on
user
registry
Maximum
length
of:
LDAP
Microsoft
Active
Directory
Lotus
Domino
server
Recommended
maximum
value
First
name
(LDAP
CN)
256
64
960
64
Middle
name
128
64
65535
64
Last
name
(surname)
128
64
960
64
Registry
UID
(LDAP
DN)
1024
2048
255
This
value
is
user
registry-specific
and
must
be
changed
when
changing
user
registries.
Tivoli
Access
Manager
user
identity
256
2048
-
1
-
length_of_
domain_name
200
-
4
-
length_of_
domain_name
This
value
is
user
registry-specific
and
must
be
changed
when
changing
user
registries.
User
password
unlimited
256
unlimited
256
User
description
1024
1024
1024
1024
Group
name
256
256
Group
description
1024
1024
1024
1024
58
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Table
30.
Maximum
lengths
for
names
based
on
user
registry
(continued)
Maximum
length
of:
LDAP
Microsoft
Active
Directory
Lotus
Domino
server
Recommended
maximum
value
Single
signon
resource
name
240
256
256
240
Single
signon
resource
description
1024
1024
1024
1024
Single
signon
user
ID
240
256
256
240
Single
signon
password
unlimited
256
unlimited
256
Single
signon
group
name
240
256
256
240
Single
signon
group
description
1024
1024
1024
1024
Action
name
1
1
1
1
Action
description,
action
type
unlimited
unlimited
unlimited
Object
name,
object
space
name,
ACL
name,
POP
name
unlimited
unlimited
unlimited
Object
description,
object
space
description,
ACL
description,
POP
description
unlimited
unlimited
unlimited
Even
though
some
names
can
be
of
unlimited
length,
excessive
lengths
can
result
in
policy
that
is
difficult
to
manage
and
might
result
in
poor
system
performance.
Choose
maximum
values
that
are
logical
for
your
environment.
Appendix
C.
User
registry
differences
59
Appendix
D.
Administration
API
equivalents
This
appendix
shows
the
mapping
that
exists
between
the
administration
C
API
functions,
the
administration
Java
classes
and
methods,
the
command
line
interface
(CLI),
and
Web
Portal
Manager.
In
some
cases,
a
given
operation
can
be
performed
different
ways.
Note
that
in
some
cases
two
or
more
method
calls
might
be
necessary
to
achieve
the
same
effect
as
a
single
C
API
function.
Information
about
the
administration
C
API
can
be
found
in
the
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference.
Information
about
the
pdadmin
command
line
interface
can
be
found
in
the
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference.
Information
on
Web
Portal
Manager
can
be
found
in
its
online
help
and
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
©
Copyright
IBM
Corp.
2002,
2003
61
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_acl
_att
rdel
key
()
PD
Acl
.del
eteA
ttri
bu
te
PD
Acl
obje
ct.d
elet
eAtt
rib
ute
pdad
min
acl
modi
fy
acl_
name
dele
te
attr
ibut
e
attr
ibut
e_na
me
AC
L
→
Lis
t
AC
L
→
sele
ct
AC
L
nam
e
→
Ext
end
ed
Att
rib
ute
tab
→
sele
ct
attr
ibut
e
→
Del
ete
ivad
min
_acl
_att
rdel
val(
)
PD
Acl
.del
eteA
ttri
bu
teV
alu
e
PD
Acl
obje
ct.d
elet
eAtt
rib
ute
Val
ue
pdad
min
acl
modi
fy
acl_
name
dele
te
attr
ibut
e
attr
ibut
e_na
me
attr
ibut
e_va
lue
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
Ext
end
ed
Att
rib
ute
tab
→
sele
ct
attr
ibut
es
→
Del
ete
ivad
min
_acl
_att
rget
()
PD
Acl
obje
ct.g
etA
ttri
bu
teV
alu
es
pdad
min
acl
show
acl_
name
attr
ibut
e
attr
ibut
e_na
me
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
Ext
end
ed
Att
rib
ute
tab
ivad
min
_acl
_att
rlis
t()
PD
Acl
obje
ct.g
etA
ttri
bu
teN
ames
pdad
min
acl
list
acl_
name
attr
ibut
e
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
Ext
end
ed
Att
rib
ute
tab
ivad
min
_acl
_att
rpu
t()
PD
Acl
.set
Att
rib
ute
Val
ue
PD
Acl
obje
ct.s
etA
ttri
bu
teV
alu
e
pdad
min
acl
modi
fy
acl_
name
set
attr
ibut
e
attr
ibut
e_na
me
attr
ibut
e_va
lue
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
Ext
end
ed
Att
rib
ute
tab
→
Cre
ate
ivad
min
_acl
_cre
ate(
)
PD
Acl
.cre
ateA
cl
pdad
min
acl
crea
te
acl_
name
AC
L
→
Cre
ate
AC
L
ivad
min
_acl
_del
ete(
)
PD
Acl
.del
eteA
cl
pdad
min
acl
dele
te
acl_
name
AC
L
→
Lis
t
AC
L
→
sele
ct
AC
L
nam
es
→
Del
ete
ivad
min
_acl
_get
()
PD
Acl
cons
truc
tor
pdad
min
acl
show
acl_
name
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
ivad
min
_acl
_get
anyo
ther
()
PD
Acl
obje
ct.g
etP
DA
clE
ntr
yAn
yOth
er
pdad
min
acl
show
any-
othe
r
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
ivad
min
_acl
_get
des
crip
tion
()
PD
Acl
obje
ct.g
etD
escr
ipti
on
pdad
min
acl
show
acl_
name
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
ivad
min
_acl
_get
grou
p()
PD
Acl
obje
ct.g
etP
DA
clE
ntr
iesG
rou
p
pdad
min
acl
show
acl_
name
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
ivad
min
_acl
_get
id()
PD
Acl
obje
ct.g
etId
pdad
min
acl
show
acl_
name
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
ivad
min
_acl
_get
un
auth
()
PD
Acl
obje
ct.g
etP
DA
clE
ntr
yUn
Au
th
pdad
min
acl
show
acl_
name
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
62
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_acl
_get
use
r()
PD
Acl
obje
ct.g
etP
DA
clE
ntr
iesU
ser
pdad
min
acl
show
acl_
name
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
ivad
min
_acl
_lis
t()
PD
Acl
.list
Acl
s
pdad
min
acl
list
AC
L
→
Lis
t
AC
L
ivad
min
_acl
_lis
tgro
up
s()
PD
Acl
obje
ct.g
etP
DA
clE
ntr
iesG
rou
p
pdad
min
acl
show
acl_
name
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
ivad
min
_acl
_lis
tuse
rs()
PD
Acl
obje
ct.g
etP
DA
clE
ntr
iesU
ser
pdad
min
acl
show
acl_
name
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
ivad
min
_acl
_rem
ovea
nyo
ther
()
PD
Acl
.rem
oveP
DA
clE
ntr
yAn
yOth
er
PD
Acl
obje
ct.r
emov
ePD
Acl
En
tryA
nyO
ther
pdad
min
acl
modi
fy
acl_
name
remo
ve
any-
othe
r
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
sele
ct
An
y-ot
her
AC
L
En
try
→
Del
ete
ivad
min
_acl
_rem
oveg
rou
p()
PD
Acl
.rem
oveP
DA
clE
ntr
yGro
up
PD
Acl
obje
ct.r
emov
ePD
Acl
En
tryG
rou
p
pdad
min
acl
modi
fy
acl_
name
remo
ve
grou
p
grou
p_na
me
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
sele
ct
Gro
up
AC
L
En
try
→
Del
ete
ivad
min
_acl
_rem
oveu
nau
th()
PD
Acl
.rem
oveP
DA
clE
ntr
yUn
Au
th
PD
Acl
obje
ct.r
emov
ePD
Acl
En
tryU
nA
uth
pdad
min
acl
modi
fy
acl_
name
remo
ve
unau
then
tica
ted
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
sele
ct
Un
auth
enti
cate
d
AC
L
En
try
→
Del
ete
ivad
min
_acl
_rem
oveu
ser(
)
PD
Acl
.rem
oveP
DA
clE
ntr
yUse
r
PD
Acl
obje
ct.r
emov
ePD
Acl
En
tryU
ser
pdad
min
acl
modi
fy
acl_
name
remo
ve
user
user
_nam
e
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
sele
ct
Use
r
AC
L
En
try
→
Del
ete
ivad
min
_acl
_set
anyo
ther
()
PD
Acl
.set
PD
Acl
En
tryA
nyO
ther
PD
Acl
obje
ct.s
etP
DA
clE
ntr
yAn
yOth
er
pdad
min
acl
modi
fy
acl_
name
set
any-
othe
r
perm
s
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
clic
k
An
y-ot
her
Per
mis
sion
s
→
sele
ct
perm
issi
ons
→
Ap
ply
ivad
min
_acl
_set
des
crip
tion
()
PD
Acl
.set
Des
crip
tion
PD
Acl
obje
ct.s
etD
escr
ipti
on
pdad
min
acl
modi
fy
acl_
name
desc
ript
ion
desc
ript
ion
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
mod
ify
Des
crip
tion
→
Set
ivad
min
_acl
_set
grou
p()
PD
Acl
.set
PD
Acl
En
tryG
rou
p
PD
Acl
obje
ct.s
etP
DA
clE
ntr
yGro
up
pdad
min
acl
modi
fy
acl_
name
set
grou
p
grou
p_na
me
perm
s
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
Cre
ate
→
choo
se
En
try
Typ
e
Gro
up
→
spec
ify
nam
e
of
grou
p
→
sele
ct
perm
issi
ons
→
Ap
ply
Appendix
D.
Administration
API
equivalents
63
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_acl
_set
un
auth
()
PD
Acl
.set
PD
Acl
En
tryU
nA
uth
PD
Acl
obje
ct.s
etP
DA
clE
ntr
yUn
Au
th
pdad
min
acl
modi
fy
acl_
name
set
unau
then
tica
ted
perm
s
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
Cre
ate
→
choo
se
En
try
Typ
e
Un
auth
enti
cate
d
→
sele
ct
perm
issi
ons
→
Ap
ply
ivad
min
_acl
_set
use
r()
PD
Acl
.set
PD
Acl
En
tryU
ser
PD
Acl
obje
ct.s
etP
DA
clE
ntr
yUse
r
pdad
min
acl
modi
fy
acl_
name
set
user
user
_nam
e
perm
s
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
Cre
ate
→
choo
se
En
try
Typ
e
Use
r
→
spec
ify
nam
e
of
Use
r
→
sele
ct
perm
issi
ons
→
Ap
ply
ivad
min
_act
ion
_cre
ate(
)
PD
Act
ion
.cre
ateA
ctio
n
pdad
min
acti
on
crea
te
name
desc
ript
ion
acti
on_t
ype
AC
L
→
Lis
t
Act
ion
Gro
up
s
→
clic
k
prim
ary
Act
ion
Gro
up
→
Cre
ate
→
fill
in
form
→
Cre
ate
ivad
min
_act
ion
_cre
ate_
in_g
rou
p()
PD
Act
ion
.cre
ateA
ctio
n
pdad
min
acti
on
crea
te
name
desc
ript
ion
acti
on_t
ype
acti
on_g
roup
_nam
e
AC
L
→
Lis
t
Act
ion
Gro
up
s
→
clic
k
Act
ion
Gro
up
→
Cre
ate
→
fill
in
form
→
Cre
ate
ivad
min
_act
ion
_del
ete(
)
PD
Act
ion
.del
eteA
ctio
n
pdad
min
acti
on
dele
te
name
AC
L
→
Lis
t
Act
ion
Gro
up
s
→
sele
ct
prim
ary
acti
on
grou
p
→
sele
ct
acti
ons
→
Del
ete
ivad
min
_act
ion
_del
ete_
from
_gro
up
()
PD
Act
ion
.del
eteA
ctio
n
pdad
min
acti
on
dele
te
name
acti
on_g
roup
_nam
e
AC
L
→
Lis
t
Act
ion
Gro
up
s
→
clic
k
Act
ion
Gro
up
→
sele
ct
acti
ons
→
Del
ete
ivad
min
_act
ion
_get
des
crip
tion
()
PD
Act
ion
obje
ct.g
etD
escr
ipti
on
pdad
min
acti
on
list
AC
L
→
Lis
t
Act
ion
Gro
up
s
→
clic
k
prim
ary
acti
on
grou
p
ivad
min
_act
ion
_get
id()
PD
Act
ion
obje
ct.g
etId
pdad
min
acti
on
list
AC
L
→
Lis
t
Act
ion
Gro
up
s
→
clic
k
prim
ary
acti
on
grou
p
ivad
min
_act
ion
_get
typ
e()
PD
Act
ion
obje
ct.g
etTy
pe
pdad
min
acti
on
list
AC
L
→
Lis
t
Act
ion
Gro
up
s
→
clic
k
prim
ary
acti
on
grou
p
ivad
min
_act
ion
_gro
up
_cre
ate(
)
PD
Act
ion
Gro
up
.cre
ateA
ctio
nG
rou
p
pdad
min
acti
on
grou
p
crea
te
acti
on_g
roup
_nam
e
AC
L
→
Cre
ate
Act
ion
Gro
up
ivad
min
_act
ion
_gro
up
_del
ete(
)
PD
Act
ion
Gro
up
.del
eteA
ctio
nG
rou
p
pdad
min
acti
on
grou
p
dele
te
acti
on_g
roup
_nam
e
AC
L
→
Lis
t
Act
ion
Gro
up
s
→
sele
ct
acti
on
grou
ps
→
Del
ete
ivad
min
_act
ion
_gro
up
_lis
t()
PD
Act
ion
Gro
up
.list
Act
ion
Gro
up
s
pdad
min
acti
on
grou
p
list
AC
L
→
Lis
t
Act
ion
Gro
up
s
64
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_act
ion
_lis
t()
PD
Act
ion
.list
Act
ion
s
pdad
min
acti
on
list
AC
L
→
Lis
t
Act
ion
Gro
up
s
→
clic
k
prim
ary
acti
on
grou
p
ivad
min
_act
ion
_lis
t_in
_gro
up
()
PD
Act
ion
.list
Act
ion
s
pdad
min
acti
on
list
acti
on_g
roup
_nam
e
AC
L
→
Lis
t
Act
ion
Gro
up
s
→
clic
k
Act
ion
Gro
up
ivad
min
_au
thzr
ule
_cre
ate(
)
PD
Au
thzR
ule
.cre
ateA
uth
zRu
le
pdad
min
auth
zrul
e
crea
te
rule
_nam
e
rule
_tex
t
[
—des
c
desc
ript
ion
]
[
—fai
lrea
son
fail
reas
on
]
Au
thzR
ule
→
Cre
ate
Au
thzR
ule
ivad
min
_au
thzr
ule
_del
ete(
)
PD
Au
thzR
ule
.del
eteA
uth
zRu
le
pdad
min
auth
zrul
e
dele
te
rule
_nam
e
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
sele
ct
Aut
hzR
ule
nam
es
→
Del
ete
ivad
min
_au
thzr
ule
_get
()
PD
Au
thzR
ule
cons
truc
tor
pdad
min
auth
zrul
e
show
rule
_nam
e
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
ivad
min
_au
thzr
ule
_get
des
crip
tion
()
PD
Aut
hzR
ule
obje
ct.g
etD
escr
ipti
on
pdad
min
auth
zrul
e
show
rule
_nam
e
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
ivad
min
_au
thzr
ule
_get
fail
reas
on()
PD
Aut
hzR
ule
obje
ct.g
etFa
ilR
easo
n
pdad
min
auth
zrul
e
show
rule
_nam
e
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
ivad
min
_au
thzr
ule
_get
id()
PD
Aut
hzR
ule
obje
ct.g
etID
pdad
min
auth
zrul
e
show
rule
_nam
e
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
ivad
min
_au
thzr
ule
_get
rule
text
()
PD
Aut
hzR
ule
obje
ct.g
etR
ule
Text
pdad
min
auth
zrul
e
show
rule
_nam
e
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
ivad
min
_au
thzr
ule
_lis
t()
PD
Au
thzR
ule
.list
Au
thzR
ule
s
pdad
min
auth
zrul
e
list
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
ivad
min
_au
thzr
ule
_set
des
crip
tion
()
PD
Au
thzR
ule
.set
Des
crip
tion
PD
Aut
hzR
ule
obje
ct.s
etD
escr
ipti
on
pdad
min
auth
zrul
e
modi
fy
rule
_nam
e
desc
ript
ion
desc
ript
ion
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
→
Gen
eral
tab
→
mod
ify
fiel
ds
→
Ap
ply
ivad
min
_au
thzr
ule
_set
fail
reas
on()
PD
Au
thzR
ule
.set
Fail
Rea
son
PD
Aut
hzR
ule
obje
ct.s
etFa
ilR
easo
n
pdad
min
auth
zrul
e
modi
fy
rule
_nam
e
fail
reas
on
fail
reas
on
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
→
Gen
eral
tab
→
mod
ify
fiel
ds
→
Ap
ply
Appendix
D.
Administration
API
equivalents
65
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_au
thzr
ule
_set
rule
text
()
PD
Au
thzR
ule
.set
Ru
leTe
xt
PD
Aut
hzR
ule
obje
ct.s
etR
ule
Text
pdad
min
auth
zrul
e
modi
fy
rule
_nam
e
rule
text
rule
text
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
→
Gen
eral
tab
→
mod
ify
fiel
ds
→
Ap
ply
ivad
min
_cfg
_ad
dre
pli
ca2(
)
PD
Ap
pS
vrC
onfi
g.ad
dP
DS
erve
r
svrs
slcf
g
-add
_rep
lica
-f
cfg_
file
-h
host
_nam
e
[-p
port
]
[-k
rank
]
Not
supp
orte
d..
ivad
min
_cfg
_ch
grep
lica
2()
PD
Ap
pS
vrC
onfi
g.ch
ange
PD
Ser
ver
svrs
slcf
g
-chg
_rep
lica
-f
cfg_
file
-h
host
_nam
e
[-p
port
]
[-k
rank
]
Not
supp
orte
d.
ivad
min
_cfg
_con
figu
rese
rver
3()
PD
Ap
pS
vrC
onfi
g.co
nfi
gure
Ap
pS
vr
svrs
slcf
g
-con
fig
-f
cfg_
file
-d
kdb_
dir_
name
-n
serv
er_n
ame
...
Not
supp
orte
d.
ivad
min
_cfg
_get
valu
e()
Not
supp
orte
d
at
this
tim
e.
pdad
min
conf
ig
show
conf
ig_f
ile
stan
za
Not
supp
orte
d.
ivad
min
_cfg
_rem
ovev
alu
e()
Not
supp
orte
d
at
this
tim
e.
pdad
min
conf
ig
mod
ify
keyv
alue
rem
ove
conf
ig_f
ile
stan
za
key
[
valu
e
]
Not
supp
orte
d.
ivad
min
_cfg
_ren
ewse
rver
cert
()
PD
Ap
pS
vrC
onfi
g.re
pla
ceA
pp
Svr
Cer
t
svrs
slcf
g
-chg
cert
-f
cfg_
file
-n
serv
er_n
ame
[-A
admi
n_ID
]
-P
admi
n_pw
d
Not
supp
orte
d.
ivad
min
_cfg
_rm
vrep
lica
2()
PD
Ap
pS
vrC
onfi
g.re
mov
ePD
Ser
ver
svrs
slcf
g
-rmv
_rep
lica
-f
cfg_
file
-h
host
_nam
e
[-p
port
]
[-k
rank
]
Not
supp
orte
d.
ivad
min
_cfg
_set
app
lica
tion
cert
2()
Not
supp
orte
d
at
this
tim
e.
svrs
slcf
g
-mod
ify
-f
cfg_
file
[-t
time
out]
[-C
cert
_fil
e]
[-l
list
enin
g_mo
de]
Not
supp
orte
d.
ivad
min
_cfg
_set
key
rin
gpw
d2(
)
Not
appl
icab
le.
svrs
slcf
g
-chg
pwd
-f
cfg_
file
-n
serv
er_n
ame
[-A
admi
n_ID
]
[-P
admi
n_pw
d]
Not
supp
orte
d.
ivad
min
_cfg
_set
list
enin
g2()
PD
Ap
pS
vrC
onfi
g.se
tAp
pS
vrL
iste
nin
g
svrs
slcf
g
-f
cfg_
file
-mod
ify
-l
yes
Not
supp
orte
d.
66
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_cfg
_set
por
t2()
PD
Ap
pS
vrC
onfi
g.se
tAp
pS
vrP
ort
svrs
slcf
g
-con
fig
-f
cfg_
file
-d
kdb_
dir_
name
-n
serv
er_n
ame
...
Not
supp
orte
d.
ivad
min
_cfg
_set
sslt
imeo
ut2
()
Not
supp
orte
d
at
this
tim
e.
svrs
slcf
g
-mod
ify
-f
cfg_
file
-t
time
out
[-C
cert
_fil
e]
[-l
list
enin
g_mo
de]
Not
supp
orte
d.
ivad
min
_cfg
_set
svrp
wd
()
Not
supp
orte
d
at
this
tim
e.
pdad
min
conf
ig
mod
ify
svrp
assw
ord
conf
ig_f
ile
pass
wor
d
Not
supp
orte
d.
ivad
min
_cfg
_set
valu
e()
Not
supp
orte
d
at
this
tim
e.
pdad
min
conf
ig
mod
ify
keyv
alue
{
set
|
appe
nd
}
[
–obf
usca
te
]
conf
ig_f
ile
stan
za
key
valu
e
Not
supp
orte
d.
ivad
min
_cfg
_un
con
figu
rese
rver
()
PD
Ap
pS
vrC
onfi
g.u
nco
nfi
gure
Ap
pS
vr
svrs
slcf
g
-unc
onfi
g
-f
cfg_
file
-n
serv
er_n
ame
[-A
admi
n_ID
]
-P
admi
n_pw
d
Not
supp
orte
d.
ivad
min
_con
text
_cle
ard
elcr
ed()
PD
Con
text
obje
ct.c
lear
Del
egat
edC
red
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_con
text
_cre
ate3
()
PD
Con
text
cons
truc
tor
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_con
text
_cre
ated
efau
lt2(
)
PD
Con
text
cons
truc
tor
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_con
text
_cre
atel
ocal
()
Not
supp
orte
d
at
this
tim
e.
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_con
text
_del
ete(
)
PD
Con
text
obje
ct.c
lose
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_con
text
_dom
ain
ism
anag
emen
t()
PD
Con
text
obje
ct.d
omai
nIs
Man
agem
ent
pdad
min
cont
ext
show
Not
supp
orte
d.
ivad
min
_con
text
_get
acce
xpd
ate(
)
PD
Pol
icy
obje
ct.g
etA
cctE
xpD
ate
pdad
min
poli
cy
get
acco
unt-
expi
ry-d
ate
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Acc
oun
t
Exp
irat
ion
Dat
e
ivad
min
_con
text
_get
cod
eset
()
PD
Con
text
obje
ct.g
etL
ocal
e
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_con
text
_get
dis
able
tim
ein
t()
PD
Pol
icy
obje
ct.g
etA
cctD
isab
leT
imeI
nte
rval
pdad
min
poli
cy
get
disa
ble-
time
-int
erva
l
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Dis
able
Tim
e
Inte
rval
ivad
min
_con
text
_get
dom
ain
id()
PD
Con
text
obje
ct.g
etD
omai
nid
pdad
min
cont
ext
show
Not
supp
orte
d.
Appendix
D.
Administration
API
equivalents
67
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_con
text
_get
max
lgn
fail
s()
PD
Pol
icy
obje
ct.g
etM
axFa
iled
Log
ins
pdad
min
poli
cy
get
max-
logi
n-fa
ilur
es
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Max
Log
in
Fail
ure
s
ivad
min
_con
text
_get
max
pw
dag
e()
PD
Pol
icy
obje
ct.g
etM
axP
wd
Age
pdad
min
poli
cy
get
max-
pass
word
-age
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Max
Pas
swor
d
Age
ivad
min
_con
text
_get
max
pw
dre
pch
ars(
)
PD
Pol
icy
obje
ct.g
etM
axP
wd
Rep
Ch
ars
pdad
min
poli
cy
get
max-
pass
word
-rep
eate
d-ch
ars
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Max
Pas
swor
d
Rep
eate
d
Ch
arac
ters
ivad
min
_con
text
_get
mgm
tdom
ain
id()
PD
Dom
ain
.get
Mgm
tDom
ain
Nam
e
pdad
min
logi
n
—m
Init
ial
logi
n.
ivad
min
_con
text
_get
mgm
tsvr
hos
t()
Not
supp
orte
d
at
this
tim
e.
Not
supp
orte
d
at
this
tim
e.
ivad
min
_con
text
_get
mgm
tsvr
por
t()
Not
supp
orte
d
at
this
tim
e.
Not
supp
orte
d
at
this
tim
e.
ivad
min
_con
text
_get
min
pw
dal
ph
as()
PD
Pol
icy
obje
ct.g
etM
inP
wd
Alp
has
pdad
min
poli
cy
get
min-
pass
word
-alp
has
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Min
imu
m
Pas
swor
d
Alp
has
ivad
min
_con
text
_get
min
pw
dle
n()
PD
Pol
icy
obje
ct.g
etM
inP
wd
Len
pdad
min
poli
cy
get
min-
pass
word
-len
gth
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Min
imu
m
Pas
swor
d
Len
gth
ivad
min
_con
text
_get
min
pw
dn
onal
ph
as()
PD
Pol
icy
obje
ct.g
etM
inP
wd
Non
Alp
has
pdad
min
poli
cy
get
min-
pass
word
-non
-alp
has
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Min
imu
m
Pas
swor
d
Non
-Alp
has
ivad
min
_con
text
_get
pw
dsp
aces
()
PD
Pol
icy
obje
ct.p
wd
Sp
aces
All
owed
pdad
min
poli
cy
get
pass
word
-spa
ces
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Pas
swor
d
Sp
aces
All
owed
ivad
min
_con
text
_get
tod
acce
ss()
PD
Pol
icy
obje
ct.g
etA
cces
sib
leD
ays
PD
Pol
icy
obje
ct.g
etA
cces
sSta
rtT
ime
PD
Pol
icy
obje
ct.g
etA
cces
sEn
dT
ime
PD
Pol
icy
obje
ct.g
etA
cces
sTim
ezon
e
pdad
min
poli
cy
get
tod-
acce
ss
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Tim
e
of
Day
Acc
ess
ivad
min
_con
text
_get
use
rid
()
PD
Con
text
obje
ct.g
etU
seri
d
pdad
min
cont
ext
show
Not
supp
orte
d.
ivad
min
_con
text
_get
use
rreg
()
PD
Use
r.get
Use
rRgy
pdad
min
admi
n
show
conf
igur
atio
n
Not
supp
orte
d.
ivad
min
_con
text
_has
del
cred
()
PD
Con
text
obje
ct.h
asD
eleg
ated
Cre
d
Not
appl
icab
le.
Not
appl
icab
le.
68
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_con
text
_set
acce
xpd
ate(
)
PD
Pol
icy.
setA
cctE
xpD
ate
PD
Pol
icy
obje
ct.s
etA
cctE
xpD
ate
pdad
min
poli
cy
set
acco
unt-
expi
ry-d
ate
[unl
imit
ed
|
abso
lute
_tim
e
|
unse
t]
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Acc
oun
t
Exp
irat
ion
Dat
e
→
Ap
ply
ivad
min
_con
text
_set
del
cred
()
PD
Con
text
obje
ct.s
etD
eleg
ated
Cre
d
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_con
text
_set
dis
able
tim
ein
t()
PD
Pol
icy.
setA
cctD
isab
leT
ime
PD
Pol
icy
obje
ct.s
etA
cctD
isab
leT
ime
pdad
min
poli
cy
set
disa
ble-
time
-int
erva
l
[num
ber
|
unse
t
|
disa
ble]
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Ap
ply
ivad
min
_con
text
_set
max
lgn
fail
s()
PD
Pol
icy.
setM
axFa
iled
Log
ins
PD
Pol
icy
obje
ct.s
etM
axFa
iled
Log
ins
pdad
min
poli
cy
set
max-
logi
n-fa
ilur
es
[num
ber
|
unse
t]
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Max
Log
in
Fail
ure
s
→
Ap
ply
ivad
min
_con
text
_set
max
pw
dag
e()
PD
Pol
icy.
setM
axP
wd
Age
PD
Pol
icy
obje
ct.s
etM
axP
wd
Age
pdad
min
poli
cy
set
max-
pass
word
-age
[rel
ativ
e_ti
me
|
unse
t]
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Max
Pas
swor
d
Age
→
Ap
ply
ivad
min
_con
text
_set
max
pw
dre
pch
ars(
)
PD
Pol
icy.
setM
axP
wd
Rep
Ch
ars
PD
Pol
icy
obje
ct.s
etM
axP
wd
Rep
Ch
ars
pdad
min
poli
cy
set
max-
pass
word
-rep
eate
d-ch
ars
[num
ber
|
unse
t]
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Max
Pas
swor
d
Rep
eate
d
Ch
arac
ters
→
Ap
ply
ivad
min
_con
text
_set
min
pw
dal
ph
as()
PD
Pol
icy.
setM
inP
wd
Alp
has
PD
Pol
icy
obje
ct.s
etM
inP
wd
Alp
has
pdad
min
poli
cy
set
min-
pass
word
-alp
has
[num
ber
|
unse
t]
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Min
imu
m
Pas
swor
d
Alp
has
→
Ap
ply
ivad
min
_con
text
_set
min
pw
dle
n()
PD
Pol
icy.
setM
inP
wd
Len
PD
Pol
icy
obje
ct.s
etM
inP
wd
Len
pdad
min
poli
cy
set
min-
pass
word
-len
gth
[num
ber
|
unse
t]
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Min
imu
m
Pas
swor
d
Len
gth
→
Ap
ply
ivad
min
_con
text
_set
min
pw
dn
onal
ph
as()
PD
Pol
icy.
setM
inP
wd
Non
Alp
has
PD
Pol
icy
obje
ct.s
etM
inP
wd
Non
Alp
has
pdad
min
poli
cy
set
max-
pass
word
-non
-alp
has
[num
ber
|
unse
t]
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Min
imu
m
Pas
swor
d
Non
-Alp
has
→
Ap
ply
ivad
min
_con
text
_set
pw
dsp
aces
()
PD
Pol
icy.
setP
wd
Sp
aces
All
owed
PD
Pol
icy
obje
ct.s
etP
wd
Sp
aces
All
owed
pdad
min
poli
cy
set
pass
word
-spa
ces
[yes
|
no
|
unse
t]
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Pas
swor
d
Sp
aces
All
owed
→
Ap
ply
ivad
min
_con
text
_set
tod
acce
ss()
PD
Pol
icy.
setT
odA
cces
s
PD
Pol
icy
obje
ct.s
etTo
dA
cces
s
pdad
min
poli
cy
set
tod-
acce
ss
toda
cces
s_va
lue
Use
r
→
Sh
ow
Glo
bal
Use
r
Pol
icy
→
Tim
e
of
Day
Acc
ess
→
Ap
ply
Appendix
D.
Administration
API
equivalents
69
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_dom
ain
_cre
ate(
)
PD
Dom
ain
.cre
ateD
omai
n
pdad
min
doma
in
crea
te
doma
in_n
ame
doma
in_a
dmin
doma
in_a
dmin
_pwd
[
—des
c
desc
ript
ion
]
Sec
ure
Dom
ain
→
Cre
ate
Sec
ure
Dom
ain
ivad
min
_dom
ain
_del
ete(
)
PD
Dom
ain
.del
eteD
omai
n
pdad
min
doma
in
dele
te
doma
in_n
ame
Sec
ure
Dom
ain
→
Lis
t
Sec
ure
Dom
ain
→
sele
ct
Secu
re
Dom
ain
nam
es
→
Del
ete
ivad
min
_dom
ain
_get
()
PD
Dom
ain
cons
truc
tor
pdad
min
doma
in
show
doma
in_n
ame
Sec
ure
Dom
ain
→
Lis
t
Sec
ure
Dom
ain
→
clic
k
Secu
re
Dom
ain
nam
e
ivad
min
_dom
ain
_get
des
crip
tion
()
PD
Dom
ain
obje
ct.g
etD
escr
ipti
on
pdad
min
doma
in
show
doma
in_n
ame
Sec
ure
Dom
ain
→
Lis
t
Sec
ure
Dom
ain
→
clic
k
Secu
re
Dom
ain
nam
e
ivad
min
_dom
ain
_get
id()
PD
Dom
ain
obje
ct.g
etId
pdad
min
doma
in
show
doma
in_n
ame
Sec
ure
Dom
ain
→
Lis
t
Sec
ure
Dom
ain
→
clic
k
Secu
re
Dom
ain
nam
e
ivad
min
_dom
ain
_lis
t()
PD
Dom
ain
.list
Dom
ain
s
pdad
min
doma
in
list
Sec
ure
Dom
ain
→
Lis
t
Sec
ure
Dom
ain
ivad
min
_dom
ain
_set
des
crip
tion
()
PD
Dom
ain
.set
Des
crip
tion
PD
Dom
ain
obje
ct.s
etD
escr
ipti
on
pdad
min
doma
in
modi
fy
doma
in_n
ame
desc
ript
ion
desc
ript
ion
Sec
ure
Dom
ain
→
Lis
t
Sec
ure
Dom
ain
→
clic
k
Secu
re
Dom
ain
nam
e
→
mod
ify
des
crip
tion
→
Ap
ply
ivad
min
_fre
e()
Not
appl
icab
le.
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_gro
up
_ad
dm
emb
ers(
)
PD
Gro
up
.ad
dM
emb
ers
PD
Gro
up
obje
ct.a
dd
Mem
ber
s
pdad
min
grou
p
modi
fy
grou
p_na
me
add
(use
r_na
me1
user
_nam
e2
...)
Gro
up
→
Sea
rch
Gro
up
s
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
grou
p
nam
e
→
Mem
ber
s
tab
→
Ad
d
ivad
min
_gro
up
_cre
ate2
()
PD
Gro
up
.cre
ateG
rou
p
pdad
min
grou
p
crea
te
grou
p_na
me
dn
cn
Gro
up
→
Cre
ate
Gro
up
ivad
min
_gro
up
_del
ete2
()
PD
Gro
up
.del
eteG
rou
p
pdad
min
grou
p
dele
te
[-re
gist
ry]
grou
p_na
me
Gro
up
→
Sea
rch
Gro
up
s
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
sele
ct
grou
p
nam
es
→
Del
ete
70
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_gro
up
_get
()
PD
Gro
up
cons
truc
tor
pdad
min
grou
p
show
grou
p_na
me
Gro
up
→
Sea
rch
Gro
up
s
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
grou
p
nam
e
ivad
min
_gro
up
_get
byd
n()
PD
Gro
up
cons
truc
tor
pdad
min
grou
p
show
-dn
dn
Not
supp
orte
d.
ivad
min
_gro
up
_get
cn()
Will
not
be
supp
orte
d.
pdad
min
grou
p
show
grou
p_na
me
Gro
up
→
Sea
rch
Gro
up
s
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
grou
p
nam
e
ivad
min
_gro
up
_get
des
crip
tion
()
PD
Gro
up
obje
ct.g
etD
escr
ipti
on
pdad
min
grou
p
show
grou
p_na
me
Gro
up
→
Sea
rch
Gro
up
s
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
grou
p
nam
e
ivad
min
_gro
up
_get
dn
()
PD
Gro
up
obje
ct.g
etR
gyN
ame
pdad
min
grou
p
show
grou
p_na
me
Gro
up
→
Sea
rch
Gro
up
s
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
grou
p
nam
e
ivad
min
_gro
up
_get
id()
PD
Gro
up
obje
ct.g
etId
pdad
min
grou
p
show
grou
p_na
me
Gro
up
→
Sea
rch
Gro
up
s
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
grou
p
nam
e
ivad
min
_gro
up
_get
mem
ber
s()
PD
Gro
up
obje
ct.g
etM
emb
ers
pdad
min
grou
p
show
-mem
bers
grou
p_na
me
Gro
up
→
Sea
rch
Gro
up
s
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
grou
p
nam
e
→
Mem
ber
s
tab
ivad
min
_gro
up
_im
por
t2()
PD
Gro
up
.imp
ortG
rou
p
pdad
min
grou
p
impo
rt
grou
p_na
me
dn
Gro
up
→
Imp
ort
Gro
up
ivad
min
_gro
up
_lis
t()
PD
Gro
up
.list
Gro
up
s
pdad
min
grou
p
list
patt
ern
max_
retu
rn
Gro
up
→
Sea
rch
Gro
up
s
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
ivad
min
_gro
up
_lis
tbyd
n()
PD
Gro
up
.list
Gro
up
s
pdad
min
grou
p
list
-dn
patt
ern
max_
retu
rn
Not
supp
orte
d.
Appendix
D.
Administration
API
equivalents
71
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_gro
up
_rem
ovem
emb
ers(
)
PD
Gro
up
.rem
oveM
emb
ers
PD
Gro
up
obje
ct.r
emov
eMem
ber
s
pdad
min
grou
p
modi
fy
grou
p_na
me
remo
ve
(use
r_na
me1
user
_nam
e2
...)
Gro
up
→
Sea
rch
Gro
up
s
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
grou
p
nam
e
→
Mem
ber
s
tab
→
sele
ct
user
nam
es
→
Rem
ove
ivad
min
_gro
up
_set
des
crip
tion
()
PD
Gro
up
.set
Des
crip
tion
PD
Gro
up
obje
ct.s
etD
escr
ipti
on
pdad
min
grou
p
modi
fy
grou
p_na
me
desc
ript
ion
desc
ript
ion
Gro
up
→
Sea
rch
Gro
up
s
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
grou
p
nam
e
→
ente
r
Des
crip
tion
→
Ap
ply
ivad
min
_ob
ject
spac
e_cr
eate
()
PD
Pro
tOb
ject
Sp
ace.
crea
teP
rotO
bje
ctS
pac
e
pdad
min
obje
ctsp
ace
crea
te
obje
ctsp
ace_
name
Ob
ject
Sp
ace
→
Cre
ate
Ob
ject
Sp
ace
ivad
min
_ob
ject
spac
e_d
elet
e()
PD
Pro
tOb
ject
Sp
ace.
del
eteP
rotO
bje
ctS
pac
e
pdad
min
obje
ctsp
ace
dele
te
obje
ctsp
ace_
name
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
clic
k
obje
ct
spac
e
nam
e
→
Del
ete
ivad
min
_ob
ject
spac
e_li
st()
PD
Pro
tOb
ject
Sp
ace.
list
Pro
tOb
ject
Sp
aces
pdad
min
obje
ctsp
ace
list
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
ivad
min
_pop
_att
ach
()
PD
Pro
tOb
ject
.att
ach
Pop
PD
Pro
tObj
ect
obje
ct.a
ttac
hP
op
pdad
min
pop
atta
ch
obje
ct_n
ame
pop_
name
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Att
ach
tab
→
Att
ach
ivad
min
_pop
_att
rdel
key
()
PD
Pop
.del
eteA
ttri
bu
te
PD
Pop
obje
ct.d
elet
eAtt
rib
ute
pdad
min
pop
modi
fy
pop_
name
dele
te
attr
ibut
e
attr
ibut
e_na
me
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Ext
end
ed
Att
rib
ute
s
tab
→
sele
ct
attr
ibut
es
→
Del
ete
ivad
min
_pop
_att
rdel
val(
)
PD
Pop
.del
eteA
ttri
bu
teV
alu
e
PD
Pop
obje
ct.d
elet
eAtt
rib
ute
Val
ue
pdad
min
pop
modi
fy
pop_
name
dele
te
attr
ibut
e
attr
ibut
e_na
me
attr
ibut
e_va
lue
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Ext
end
ed
Att
rib
ute
s
tab
→
sele
ct
attr
ibut
es
→
Del
ete
ivad
min
_pop
_att
rget
()
PD
Pop
obje
ct.g
etA
ttri
bu
teV
alu
es
pdad
min
pop
show
pop_
name
attr
ibut
e
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Ext
end
ed
Att
rib
ute
s
tab
ivad
min
_pop
_att
rlis
t()
PD
Pop
obje
ct.g
etA
ttri
bu
teN
ames
pdad
min
pop
list
pop_
name
attr
ibut
e
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Ext
end
ed
Att
rib
ute
s
tab
72
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_pop
_att
rpu
t()
PD
Pop
.set
Att
rib
ute
Val
ue
PD
Pop
obje
ct.s
etA
ttri
bu
teV
alu
e
pdad
min
pop
modi
fy
pop_
name
set
attr
ibut
e
attr
ibut
e_na
me
attr
ibut
e_va
lue
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Ext
end
ed
Att
rib
ute
s
tab
→
Cre
ate
ivad
min
_pop
_cre
ate(
)
PD
Pop
.cre
ateP
op
pdad
min
pop
crea
te
pop_
name
PO
P
→
Cre
ate
PO
P
ivad
min
_pop
_del
ete(
)
PD
Pop
.del
eteP
op
pdad
min
pop
dele
te
pop_
name
PO
P
→
Lis
t
PO
P
→
sele
ct
POP
nam
es
→
Del
ete
ivad
min
_pop
_det
ach
()
PD
Pro
tOb
ject
.det
ach
Pop
PD
Pro
tObj
ect
obje
ct.a
ttac
hP
op
pdad
min
pop
deta
ch
obje
ct_n
ame
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Att
ach
tab
→
sele
ct
obje
ct
→
Det
ach
ivad
min
_pop
_fin
d()
PD
Pro
tOb
ject
.list
Pro
tOb
ject
sByP
op
pdad
min
pop
find
pop_
name
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Att
ach
tab
ivad
min
_pop
_get
()
PD
Pop
cons
truc
tor
pdad
min
pop
show
pop_
name
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
ivad
min
_pop
_get
aud
itle
vel(
)
PD
Pop
obje
ct.g
etA
ud
itL
evel
pdad
min
pop
show
pop_
name
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
ivad
min
_pop
_get
des
crip
tion
()
PD
Pop
obje
ct.g
etD
escr
ipti
on
pdad
min
pop
show
pop_
name
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
ivad
min
_pop
_get
id()
PD
Pop
obje
ct.g
etId
pdad
min
pop
show
pop_
name
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
ivad
min
_pop
_get
qop
()
PD
Pop
obje
ct.g
etQ
OP
pdad
min
pop
show
pop_
name
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
ivad
min
_pop
_get
tod
()
PD
Pop
obje
ct.g
etTo
dA
cces
sIn
fo
pdad
min
pop
show
pop_
name
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
ivad
min
_pop
_get
war
nm
ode(
)
PD
Pop
obje
ct.g
etW
arn
ingM
ode
pdad
min
pop
show
pop_
name
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
ivad
min
_pop
_lis
t()
PD
Pop
.list
Pop
s
pdad
min
pop
list
PO
P
→
Lis
t
PO
P
ivad
min
_pop
_rem
ovei
pau
th()
PD
Pop
.rem
oveI
PAu
thIn
fo
PD
Pop
obje
ct.r
emov
eIPA
uth
Info
pdad
min
pop
modi
fy
pop_
name
set
ipau
th
remo
ve
netw
ork
netm
ask
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
IP
Au
th
tab
→
sele
ct
IP
auth
entr
ies
→
Del
ete
Appendix
D.
Administration
API
equivalents
73
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_pop
_set
anyo
ther
nw
()
PD
Pop
.set
uth
Info
pdad
min
pop
modi
fy
pop_
name
set
ipau
th
anyo
ther
nw
auth
enti
cati
on_l
evel
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
IP
Au
th
tab
→
Cre
ate
→
sele
ct
An
y
Oth
er
Net
wor
k
chec
k
box,
ente
r
the
auth
enti
cati
on
leve
l
→
Cre
ate
ivad
min
_pop
_set
anyo
ther
nw
_for
bid
den
()
PD
Pop
.set
IPA
uth
Info
pdad
min
pop
modi
fy
pop_
name
set
ipau
th
anyo
ther
nw
forb
idde
n
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
IP
Au
th
tab
→
Cre
ate
→
sele
ct
An
y
Oth
er
Net
wor
k
chec
k
box,
sele
ct
Forb
idd
en
chec
k
box
→
Cre
ate
ivad
min
_pop
_set
aud
itle
vel(
)
PD
Pop
.set
Au
dit
Lev
el
PD
Pop
obje
ct.s
etA
ud
itL
evel
pdad
min
pop
modi
fy
pop_
name
set
audi
t-le
vel
[all
|
none
|
audi
t_le
vel_
list
]
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Gen
eral
tab
→
sele
ct
Au
dit
Lev
el
chec
k
box
→
Ap
ply
ivad
min
_pop
_set
des
crip
tion
()
PD
Pop
.set
Des
crip
tion
PD
Pop
obje
ct.s
etD
escr
ipti
on
pdad
min
pop
modi
fy
pop_
name
set
desc
ript
ion
desc
ript
ion
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Gen
eral
tab
→
Ap
ply
ivad
min
_pop
_set
ipau
th()
PD
Pop
.set
IPA
uth
Info
PD
Pop
obje
ct.s
etIP
Au
thIn
fo
pdad
min
pop
modi
fy
pop_
name
set
ipau
th
add
netw
ork
netm
ask
auth
enti
cati
on_l
evel
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
IP
Au
th
tab
→
Cre
ate
→
ente
r
the
netw
ork,
net
mas
k,
and
auth
enti
cati
on
leve
l
→
Ap
ply
ivad
min
_pop
_set
ipau
th_f
orb
idd
en()
PD
Pop
.set
IPA
uth
Info
PD
Pop
obje
ct.s
etIP
Au
thIn
fo
pdad
min
pop
modi
fy
pop_
name
set
ipau
th
add
netw
ork
netm
ask
forb
idde
n
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
IP
Au
th
tab
→
Cre
ate
→
ente
r
the
netw
ork
and
net
mas
k,
sele
ct
Forb
idd
en
chec
k
box
→
Ap
ply
ivad
min
_pop
_set
qop
()
PD
Pop
.set
QO
P
PD
Pop
obje
ct.s
etQ
OP
pdad
min
pop
modi
fy
pop_
name
set
qop
[non
e
|
inte
grit
y
|
priv
acy]
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Gen
eral
tab
→
Ap
ply
ivad
min
_pop
_set
tod
()
PD
Pop
.set
Tod
Acc
essI
nfo
PD
Pop
obje
ct.s
etTo
dA
cces
sIn
fo
.
pdad
min
pop
modi
fy
pop_
name
set
tod-
acce
ss
tod_
valu
e
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Gen
eral
tab
→
Ap
ply
74
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_pop
_set
war
nm
ode(
)
PD
Pop
.set
War
nin
gMod
e
PD
Pop
obje
ct.s
etW
arn
ingM
ode
pdad
min
pop
modi
fy
pop_
name
set
warn
ing
[
on
|
off
]
PO
P
→
Lis
t
PO
P
→
clic
k
POP
nam
e
→
Gen
eral
tab
→
Ap
ply
ivad
min
_pro
tob
j_ac
cess
()
PD
Pro
tOb
ject
.acc
ess
pdad
min
obje
ct
acce
ss
obje
ct_n
ame
Not
supp
orte
d.
ivad
min
_pro
tob
j_at
tach
acl(
)
PD
Pro
tOb
ject
.att
ach
Acl
PD
Pro
tObj
ect
obje
ct.a
ttac
hA
cl
pdad
min
acl
atta
ch
obje
ct_n
ame
acl_
name
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
Att
ach
tab
→
Att
ach
ivad
min
_pro
tob
j_at
tach
auth
zru
le()
PD
Pro
tOb
ject
.att
ach
Au
thzR
ule
PD
Pro
tObj
ect
obje
ct.a
ttac
hA
uth
zRu
le
pdad
min
auth
zrul
e
atta
ch
obje
ct_n
ame
rule
_nam
e
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
→
Att
ach
tab
→
Att
ach
ivad
min
_pro
tob
j_at
trd
elk
ey()
PD
Pro
tOb
ject
.del
eteA
ttri
bu
te
PD
Pro
tObj
ect
obje
ct.d
elet
eAtt
rib
ute
pdad
min
obje
ct
modi
fy
obje
ct_n
ame
dele
te
attr
ibut
e_na
me
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Ext
end
ed
Att
rib
ute
s
tab
→
sele
ct
attr
ibut
e
→
Del
ete
ivad
min
_pro
tob
j_at
trd
elva
l()
PD
Pro
tOb
ject
.del
eteA
ttri
bu
teV
alu
e
PD
Pro
tObj
ect
obje
ct.d
elet
eAtt
rib
ute
Val
ue
pdad
min
obje
ct
modi
fy
obje
ct_n
ame
dele
te
attr
ibut
e_na
me
attr
ibut
e_va
lue
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Ext
end
ed
Att
rib
ute
s
tab
→
sele
ct
attr
ibut
e
→
Del
ete
ivad
min
_pro
tob
j_at
trge
t()
PD
Pro
tObj
ect
obje
ct.g
etA
ttri
bu
teV
alu
es
pdad
min
obje
ct
show
obje
ct_n
ame
attr
ibut
e
attr
ibut
e_na
me
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Ext
end
ed
Att
rib
ute
s
tab
ivad
min
_pro
tob
j_at
trli
st()
PD
Pro
tObj
ect
obje
ct.g
etA
ttri
bu
teN
ames
pdad
min
obje
ct
list
obje
ct_n
ame
attr
ibut
e
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Ext
end
ed
Att
rib
ute
s
tab
ivad
min
_pro
tob
j_at
trp
ut(
)
PD
Pro
tOb
ject
.set
Att
rib
ute
Val
ue
PD
Pro
tObj
ect
obje
ct.s
etA
ttri
bu
teV
alu
e
pdad
min
obje
ct
modi
fy
obje
ct_n
ame
set
attr
ibut
e
attr
ibut
e_na
me
attr
ibut
e_va
lue
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Ext
end
ed
Att
rib
ute
s
tab
→
Cre
ate
Appendix
D.
Administration
API
equivalents
75
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_pro
tob
j_cr
eate
()
PD
Pro
tOb
ject
.cre
ateP
rotO
bje
ct
pdad
min
obje
ct
crea
te
obje
ct_n
ame
Ob
ject
Sp
ace
→
Cre
ate
Ob
ject
Sele
ct
the
Can
Pol
icy
be
atta
ched
to
this
obje
ct
chec
k
box
on
the
Prot
ecte
d
Obj
ect
Prop
erti
es
win
dow
.
Not
e:
The
typ
e
fiel
d
is
not
supp
orte
d.
ivad
min
_pro
tob
j_d
elet
e()
PD
Pro
tOb
ject
.del
eteP
rotO
bje
ct
pdad
min
obje
ct
dele
te
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
→
Del
ete
ivad
min
_pro
tob
j_d
etac
hac
l()
PD
Pro
tOb
ject
.det
ach
Acl
PD
Pro
tObj
ect
obje
ct.d
etac
hA
cl
pdad
min
acl
deta
ch
obje
ct_n
ame
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
Att
ach
tab
→
sele
ct
obje
ct
nam
es
→
Det
ach
ivad
min
_pro
tob
j_d
etac
hau
thzr
ule
()
PD
Pro
tOb
ject
.det
ach
Au
thzR
ule
PD
Pro
tObj
ect
obje
ct.d
etac
hA
uth
zRu
le
pdad
min
auth
zrul
e
deta
ch
obje
ct_n
ame
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
→
Att
ach
tab
→
sele
ct
obje
ct
nam
es
→
Det
ach
ivad
min
_pro
tob
j_ex
ists
()
PD
Pro
tOb
ject
.exi
sts
pdad
min
obje
ct
exis
ts
obje
ct_n
ame
Not
supp
orte
d.
ivad
min
_pro
tob
j_ge
t3()
PD
Pro
tOb
ject
cons
truc
tor
pdad
min
obje
ct
show
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
ivad
min
_pro
tob
j_ge
tacl
id()
PD
Pro
tObj
ect
obje
ct.g
etA
cl
pdad
min
obje
ct
show
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
ivad
min
_pro
tob
j_ge
tau
thzr
ule
id()
PD
Pro
tObj
ect
obje
ct.g
etA
uth
zRu
le
pdad
min
obje
ct
show
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
76
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_pro
tob
j_ge
tdes
c()
PD
Pro
tObj
ect
obje
ct.g
etD
escr
ipti
on
pdad
min
obje
ct
show
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
ivad
min
_pro
tob
j_ge
teff
acli
d()
PD
Pro
tObj
ect
obje
ct.g
etE
ffec
tuve
Acl
Id
pdad
min
obje
ct
show
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
ivad
min
_pro
tob
j_ge
teff
auth
zru
leid
()
PD
Pro
tObj
ect
obje
ct.g
etE
ffec
tuve
Au
thzR
ule
Id
pdad
min
obje
ct
show
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
ivad
min
_pro
tob
j_ge
teff
pop
id()
PD
Pro
tObj
ect
obje
ct.g
etE
ffec
tuve
Pop
Id
pdad
min
obje
ct
show
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
ivad
min
_pro
tob
j_ge
tid
()
PD
Pro
tObj
ect
obje
ct.g
etId
pdad
min
obje
ct
show
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
ivad
min
_pro
tob
j_ge
tpol
icya
ttac
hab
le()
PD
Pro
tObj
ect
obje
ct.is
Pol
icyA
ttac
hab
le
pdad
min
obje
ct
show
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
ivad
min
_pro
tob
j_ge
tpop
id()
PD
Pro
tObj
ect
obje
ct.g
etP
opId
pdad
min
obje
ct
show
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
ivad
min
_pro
tob
j_ge
ttyp
e()
Will
not
be
supp
orte
d.
pdad
min
obje
ct
show
obje
ct_n
ame
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
ivad
min
_pro
tob
j_li
st3(
)
PD
Pro
tOb
ject
.list
Pro
tOb
ject
s
pdad
min
obje
ct
list
dire
ctor
y_na
me
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
Appendix
D.
Administration
API
equivalents
77
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_pro
tob
j_li
stb
yacl
()
PD
Pro
tOb
ject
.list
Pro
tOb
ject
sByA
cl
pdad
min
acl
find
acl_
name
AC
L
→
Lis
t
AC
L
→
clic
k
AC
L
nam
e
→
Att
ach
tab
ivad
min
_pro
tob
j_li
stb
yau
thzr
ule
()
PD
Pro
tOb
ject
.list
Pro
tOb
ject
sByA
uth
zRu
le
pdad
min
auth
zrul
e
find
rule
_nam
e
Au
thzR
ule
→
Lis
t
Au
thzR
ule
→
clic
k
Aut
hzR
ule
nam
e
→
Att
ach
tab
ivad
min
_pro
tob
j_m
ult
iacc
ess(
)
PD
Pro
tOb
ject
.mu
ltiA
cces
s
pdad
min
obje
ct
acce
ss
obje
ct_n
ame
Not
supp
orte
d.
ivad
min
_pro
tob
j_se
tdes
c()
PD
Pro
tOb
ject
.set
Des
crip
tion
PD
Pro
tObj
ect
obje
ct.s
etD
escr
ipti
on
pdad
min
obje
ct
modi
fy
obje
ct_n
ame
desc
ript
ion
desc
ript
ion
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
→
Ap
ply
ivad
min
_pro
tob
j_se
tnam
e()
Will
not
be
supp
orte
d.
pdad
min
obje
ct
modi
fy
obje
ct_n
ame
name
name
conf
lict
_res
olut
ion
reso
luti
on_m
odif
ier
Not
supp
orte
d.
ivad
min
_pro
tob
j_se
tpol
icya
ttac
hab
le()
PD
Pro
tOb
ject
.set
Pol
icyA
ttac
hab
le
PD
Pro
tObj
ect
obje
ct.s
etP
olic
yAtt
ach
able
pdad
min
obje
ct
modi
fy
obje
ct_n
ame
isPo
licy
Atta
chab
le
[yes
|
no]
Ob
ject
Sp
ace
→
Bro
wse
Ob
ject
Sp
ace
→
expa
nd
and
clic
k
on
obje
ct
nam
e
→
Gen
eral
tab
→
Ap
ply
ivad
min
_pro
tob
j_se
ttyp
e()
Will
not
be
supp
orte
d.
pdad
min
obje
ct
modi
fy
obje
ct_n
ame
type
type
Not
supp
orte
d.
ivad
min
_res
pon
se_g
etco
de(
)
Not
appl
icab
le.
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_res
pon
se_g
etco
un
t()
Not
appl
icab
le.
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_res
pon
se_g
etm
essa
ge()
Not
appl
icab
le.
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_res
pon
se_g
etm
odif
ier(
)
Not
appl
icab
le.
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_res
pon
se_g
etok
()
Not
appl
icab
le.
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_ser
ver_
gett
ask
list
()
PD
Ser
ver.g
etTa
skL
ist
pdad
min
serv
er
list
task
s
serv
er_n
ame
Not
supp
orte
d.
ivad
min
_ser
ver_
per
form
task
()
PD
Ser
ver.p
erfo
rmTa
sk
pdad
min
serv
er
task
serv
er_n
ame
task
_to_
perf
orm
Not
supp
orte
d.
ivad
min
_ser
ver_
rep
lica
te()
PD
Ser
ver.s
erve
rRep
lica
te
pdad
min
serv
er
repl
icat
e
serv
er_n
ame
Not
supp
orte
d.
78
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_sso
cred
_cre
ate(
)
PD
SS
OC
red
.cre
ateS
SO
Cre
d
pdad
min
rsrc
cred
crea
te
reso
urce
_nam
e
rsrc
user
reso
urce
_use
rid
rsrc
pwd
reso
urce
_pwd
rsrc
type
[web
|
grou
p]
user
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
Sea
rch
→
clic
k
user
nam
e
→
clic
k
GS
O
Cre
den
tial
s
tab
→
clic
k
Cre
ate
ivad
min
_sso
cred
_del
ete(
)
PD
SS
OC
red
.del
eteS
SO
Cre
d
pdad
min
rsrc
cred
dele
te
reso
urce
_nam
e
rsrc
type
[web
|
grou
p]
user
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
Sea
rch
→
clic
k
user
nam
e
→
clic
k
GS
O
Cre
den
tial
s
tab
→
sele
ct
GSO
Cre
den
tial
s
→
Del
ete
ivad
min
_sso
cred
_get
()
PD
SS
OC
red
cons
truc
tor
pdad
min
rsrc
cred
show
reso
urce
_nam
e
rsrc
type
[web
|
grou
p]
user
user
_nam
e
Use
r
→
Sea
rch
Gro
up
s
→
Sea
rch
→
clic
k
user
nam
e
→
clic
k
GS
O
Cre
den
tial
s
tab
ivad
min
_sso
cred
_get
id()
PD
SSO
Cre
d
obje
ct.g
etR
esou
rceN
ame
pdad
min
rsrc
cred
show
reso
urce
_nam
e
rsrc
type
[web
|
grou
p]
user
user
_nam
e
Use
r
→
Sea
rch
Gro
up
s
→
Sea
rch
→
clic
k
user
nam
e
→
clic
k
GS
O
Cre
den
tial
s
tab
ivad
min
_sso
cred
_get
ssop
assw
ord
()
PD
SSO
Cre
d
obje
ct.g
etR
esou
rceP
assw
ord
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_sso
cred
_get
ssou
ser(
)
PD
SSO
Cre
d
obje
ct.g
etR
esou
rceU
ser
Not
appl
icab
le.
Not
appl
icab
le.
ivad
min
_sso
cred
_get
typ
e()
PD
SSO
Cre
d
obje
ct.g
etR
esou
rceT
ype
pdad
min
rsrc
cred
show
reso
urce
_nam
e
rsrc
type
[web
|
grou
p]
user
user
_nam
e
Use
r
→
Sea
rch
Gro
up
s
→
Sea
rch
→
clic
k
user
nam
e
→
clic
k
GS
O
Cre
den
tial
s
tab
ivad
min
_sso
cred
_get
use
r()
PD
SSO
Cre
d
obje
ct.g
etU
ser
pdad
min
rsrc
cred
show
reso
urce
_nam
e
rsrc
type
[web
|
grou
p]
user
user
_nam
e
Use
r
→
Sea
rch
Gro
up
s
→
Sea
rch
→
clic
k
user
nam
e
→
clic
k
GS
O
Cre
den
tial
s
tab
ivad
min
_sso
cred
_lis
t()
PD
SSO
Cre
d
obje
ct.li
stA
nd
Sh
owS
SO
Cre
ds
PD
SSO
Cre
d
obje
ct.li
stS
SO
Cre
ds
pdad
min
rsrc
cred
list
user
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
Sea
rch
→
clic
k
user
nam
e
→
clic
k
GS
O
Cre
den
tial
s
tab
Appendix
D.
Administration
API
equivalents
79
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_sso
cred
_set
()
PD
SS
OC
red
.set
SS
OC
red
PD
SSO
Cre
d
obje
ct.s
etS
SO
Cre
d.
pdad
min
rsrc
cred
modi
fy
reso
urce
_nam
e
rsrc
type
[web
|
grou
p]
[-rs
rcus
er
reso
urce
_use
rid]
[-rs
rcpw
d
reso
urce
_pwd
]
user
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
Sea
rch
→
clic
k
user
nam
e
→
clic
k
GS
O
Cre
den
tial
s
tab
→
clic
k
Cre
ate
ivad
min
_sso
grou
p_a
dd
res(
)
PD
SS
OR
esou
rceG
rou
p.a
dd
SS
OR
esou
rce
PD
SSO
Res
ourc
eGro
up
obje
ctad
dS
SO
Res
ourc
e
pdad
min
rsrc
grou
p
modi
fy
reso
urce
_gro
up_n
ame
add
rsrc
name
reso
urce
_nam
e
GS
O
Res
ourc
e
→
Lis
t
GS
O
Gro
up
s
→
clic
k
GSO
reso
urce
grou
p
→
Ad
d
ivad
min
_sso
grou
p_c
reat
e()
PD
SS
OR
esou
rceG
rou
p.c
reat
eSS
OR
esou
rceG
rou
p
pdad
min
rsrc
grou
p
crea
te
reso
urce
_gro
up_n
ame
[-de
sc
desc
ript
ion]
GS
O
Res
ourc
e
→
Cre
ate
GS
O
Gro
up
ivad
min
_sso
grou
p_d
elet
e()
PD
SS
OR
esou
rceG
rou
p.d
elet
eSS
OR
esou
rceG
rou
p
pdad
min
rsrc
grou
p
dele
te
reso
urce
_gro
up_n
ame
GS
O
Res
ourc
e
→
Lis
t
GS
O
Gro
up
s
→
sele
ct
GSO
reso
urce
grou
ps
→
Del
ete
ivad
min
_sso
grou
p_g
et()
PD
SS
OR
esou
rceG
rou
p
cons
truc
tor
pdad
min
rsrc
grou
p
show
reso
urce
_gro
up_n
ame
GS
O
Res
ourc
e
→
Lis
t
GS
O
Gro
up
s
→
clic
k
GSO
reso
urce
grou
p
ivad
min
_sso
grou
p_g
etd
escr
ipti
on()
PD
SSO
Res
ourc
eGro
up
obje
ct.g
etD
escr
ipti
on
pdad
min
rsrc
grou
p
show
reso
urce
_gro
up_n
ame
GS
O
Res
ourc
e
→
Lis
t
GS
O
Gro
up
s
→
clic
k
GSO
reso
urce
grou
p
ivad
min
_sso
grou
p_g
etid
()
PD
SSO
Res
ourc
eGro
up
obje
ct.g
etId
pdad
min
rsrc
grou
p
show
reso
urce
_gro
up_n
ame
GS
O
Res
ourc
e
→
Lis
t
GS
O
Gro
up
s
→
clic
k
GSO
reso
urce
grou
p
ivad
min
_sso
grou
p_g
etre
sou
rces
()
PD
SSO
Res
ourc
eGro
up
obje
ct.g
etS
SO
Res
ourc
es
pdad
min
rsrc
grou
p
show
reso
urce
_gro
up_n
ame
GS
O
Res
ourc
e
→
Lis
t
GS
O
Gro
up
s
→
clic
k
GSO
reso
urce
grou
p
ivad
min
_sso
grou
p_l
ist(
)
PD
SS
OR
esou
rceG
rou
p.li
stS
SO
Res
ourc
eGro
up
s
pdad
min
rsrc
grou
p
list
GS
O
Res
ourc
e
→
Lis
t
GS
O
Gro
up
s
ivad
min
_sso
grou
p_r
emov
eres
()
PD
SS
OR
esou
rceG
rou
p.r
emov
eSS
OR
esou
rce
PD
SSO
Res
ourc
eGro
up
obje
ct.r
emov
eSS
OR
esou
rce.
pdad
min
rsrc
grou
p
modi
fy
reso
urce
_gro
up_n
ame
remo
ve
rsrc
name
reso
urce
_nam
e
GS
O
Res
ourc
e
→
Lis
t
GS
O
Gro
up
s
→
clic
k
GSO
reso
urce
grou
p
→
sele
ct
mem
bers
→
Rem
ove
80
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_sso
web
_cre
ate(
)
PD
SS
OR
esou
rce.
crea
teS
SO
Res
ourc
e
pdad
min
rsrc
crea
te
reso
urce
_nam
e
[-de
sc
desc
ript
ion]
GS
O
Res
ourc
e
→
Cre
ate
GS
O
ivad
min
_sso
web
_del
ete(
)
PD
SS
OR
esou
rce.
del
eteS
SO
Res
ourc
e
pdad
min
rsrc
dele
te
reso
urce
_nam
e
GS
O
Res
ourc
e
→
Lis
t
GS
O
→
sele
ct
GSO
reso
urce
s
→
Del
ete
ivad
min
_sso
web
_get
()
PD
SS
OR
esou
rce
cons
truc
tor
pdad
min
rsrc
show
reso
urce
_nam
e
GS
O
Res
ourc
e
→
Lis
t
GS
O
→
clic
k
GSO
reso
urce
ivad
min
_sso
web
_get
des
crip
tion
()
PD
SSO
Res
ourc
e
obje
ct.g
etD
escr
ipti
on
pdad
min
rsrc
show
reso
urce
_nam
e
GS
O
Res
ourc
e
→
Lis
t
GS
O
→
clic
k
GSO
reso
urce
ivad
min
_sso
web
_get
id()
PD
SSO
Res
ourc
e
obje
ct.g
etId
pdad
min
rsrc
show
reso
urce
_nam
e
GS
O
Res
ourc
e
→
Lis
t
GS
O
→
clic
k
GSO
reso
urce
ivad
min
_sso
web
_lis
t()
PD
SS
OR
esou
rce.
list
SS
OR
esou
rces
pdad
min
rsrc
list
GS
O
Res
ourc
e
→
Lis
t
GS
O
ivad
min
_use
r_cr
eate
3()
PD
Use
r.cre
ateU
ser
pdad
min
user
crea
te
[-gs
ouse
r]
[-no
-pas
swor
d-po
licy
]
user
_nam
e
dn
cn
sn
pwd
(
grou
p1
grou
p2
...
)
Use
r
→
Cre
ate
Use
r
ivad
min
_use
r_d
elet
e2()
PD
Use
r.del
eteU
ser
pdad
min
user
dele
te
[-re
gist
ry]
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
sele
ct
user
nam
es
→
Del
ete
ivad
min
_use
r_ge
t()
PD
Use
r
cons
truc
tor
pdad
min
user
show
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
ivad
min
_use
r_ge
tacc
exp
dat
e()
PD
Pol
icy
obje
ct.g
etA
cctE
xpD
ate
pdad
min
user
get
acco
unt-
expi
ry-d
ate
[-us
er
user
_nam
e
]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_ge
tacc
oun
tval
id()
PD
Use
r
obje
ct.is
Acc
oun
tVal
id
pdad
min
user
show
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
ivad
min
_use
r_ge
tbyd
n()
PD
Use
r
cons
truc
tor
pdad
min
user
show
-dn
dn
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
Appendix
D.
Administration
API
equivalents
81
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_use
r_ge
tcn
()
PD
Use
r
obje
ct.g
etFi
rstN
ame
pdad
min
user
show
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
ivad
min
_use
r_ge
tdes
crip
tion
()
PD
Use
r
obje
ct.g
etD
escr
ipti
on
pdad
min
user
show
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
ivad
min
_use
r_ge
tdis
able
tim
ein
t()
PD
Pol
icy
obje
ct.g
etA
cctD
isab
leT
imeI
nte
rval
pdad
min
poli
cy
get
disa
ble-
time
-int
erva
l
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_ge
tdn
()
PD
Use
r
obje
ct.g
etR
gyN
ame
pdad
min
user
show
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
ivad
min
_use
r_ge
tid
()
PD
Use
r
obje
ct.g
etId
pdad
min
user
show
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
ivad
min
_use
r_ge
tmax
lgn
fail
s()
PD
Pol
icy
obje
ct.g
etM
axFa
iled
Log
ins
pdad
min
poli
cy
get
max-
logi
n-fa
ilur
es
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_ge
tmax
pw
dag
e()
PD
Pol
icy
obje
ct.g
etM
axP
wd
Age
pdad
min
poli
cy
get
max-
pass
word
-age
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_ge
tmax
pw
dre
pch
ars(
)
PD
Pol
icy
obje
ct.g
etM
axP
wd
Rep
Ch
ars
pdad
min
poli
cy
get
max-
pass
word
-rep
eate
d-ch
ars
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_ge
tmem
ber
ship
s()
PD
Use
r
obje
ct.g
etG
rou
ps
pdad
min
user
show
-gro
ups
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Gro
up
s
tab
82
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_use
r_ge
tmin
pw
dal
ph
as()
PD
Pol
icy
obje
ct.g
etM
inP
wd
Alp
has
pdad
min
poli
cy
get
min-
pass
word
-alp
has
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_ge
tmin
pw
dle
n()
PD
Pol
icy
obje
ct.g
etM
inP
wd
Len
pdad
min
poli
cy
get
min-
pass
word
-len
gth
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_ge
tmin
pw
dn
onal
ph
as()
PD
Pol
icy
obje
ct.g
etM
inP
wd
Non
Alp
has
pdad
min
poli
cy
get
min-
pass
word
-non
-alp
has
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_ge
tpas
swor
dva
lid
()
PD
Use
r
obje
ct.is
Pas
swor
dV
alid
pdad
min
user
show
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
ivad
min
_use
r_ge
tpw
dsp
aces
()
PD
Pol
icy
obje
ct.p
wd
Sp
aces
All
owed
pdad
min
poli
cy
get
pass
word
-spa
ces
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_ge
tsn
()
PD
Use
r
obje
ct.g
etL
astN
ame
pdad
min
user
show
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
not
appl
icab
le
PD
Use
r
obje
ct.is
PD
Use
r
pdad
min
user
show
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
ivad
min
_use
r_ge
tsso
use
r()
PD
Use
r
obje
ct.is
SS
OU
ser
pdad
min
user
show
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
ivad
min
_use
r_ge
ttod
acce
ss()
PD
Pol
icy
obje
ct.g
etA
cces
sib
leD
ays
PD
Pol
icy
obje
ct.g
etA
cces
sSta
rtT
ime
PD
Pol
icy
obje
ct.g
etA
cces
sEn
dT
ime
pdad
min
poli
cy
get
tod-
acce
ss
-use
r
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_im
por
t2()
PD
Use
r.im
por
tUse
r
pdad
min
user
impo
rt
[-gs
ouse
r]
user
_nam
e
dn
Use
r
→
Imp
ort
Use
r
Appendix
D.
Administration
API
equivalents
83
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_use
r_li
st()
PD
Use
r.lis
tUse
rs
pdad
min
user
list
patt
ern
max_
retu
rn
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
ivad
min
_use
r_li
stb
ydn
()
PD
Use
r.lis
tUse
rs
pdad
min
user
list
-dn
patt
ern
max_
retu
rn
Not
supp
orte
d.
ivad
min
_use
r_se
tacc
exp
dat
e()
PD
Pol
icy.
setA
cctE
xpD
ate
PD
Pol
icy
obje
ct.s
etA
cctE
xpD
ate
pdad
min
poli
cy
set
acco
unt-
expi
ry-d
ate
[unl
imit
ed
|
abso
lute
_tim
e
|
unse
t]
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_se
tacc
oun
tval
id()
PD
Use
r.set
Acc
oun
tVal
id
PD
Use
r
obje
ct.s
etA
ccou
ntV
alid
pdad
min
user
modi
fy
user
_nam
e
acco
unt-
vali
d
[yes
|
no]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Gen
eral
tab
ivad
min
_use
r_se
tdes
crip
tion
()
PD
Use
r.set
Des
crip
tion
PD
Use
r
obje
ct.s
etD
escr
ipti
on
pdad
min
user
modi
fy
user
_nam
e
desc
ript
ion
desc
ript
ion
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Gen
eral
tab
ivad
min
_use
r_se
tdis
able
tim
ein
t()
PD
Pol
icy.
setA
cctD
isab
leT
ime
PD
Pol
icy
obje
ct.s
etA
cctD
isab
leT
ime
pdad
min
poli
cy
set
disa
ble-
time
-int
erva
l
[num
ber
|
unse
t
|
disa
ble]
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_se
tmax
lgn
fail
s()
PD
Pol
icy.
setM
axFa
iled
Log
ins
PD
Pol
icy
obje
ct.s
etM
axFa
iled
Log
ins
pdad
min
poli
cy
set
max-
logi
n-fa
ilur
es
[num
ber
|
unse
t]
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_se
tmax
pw
dag
e()
PD
Pol
icy.
setM
axP
wd
Age
PD
Pol
icy
obje
ct.s
etM
axP
wd
Age
pdad
min
poli
cy
set
max-
pass
word
-age
[uns
et
|
rela
tive
_tim
e]
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_se
tmax
pw
dre
pch
ars(
)
PD
Pol
icy.
setM
axP
wd
Rep
Ch
ars
PD
Pol
icy
obje
ct.s
etM
axP
wd
Rep
Ch
ars
pdad
min
poli
cy
set
max-
pass
word
-rep
eate
d-ch
ars
[num
ber
|
unse
t]
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
84
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Tabl
e
31.
Map
ping
betw
een
adm
inis
trat
ion
C
AP
I,
Java
met
hods
,
the
com
man
d
line
inte
rfac
e,
and
Web
Por
tal
Man
ager
(con
tinue
d)
C
AP
I
Java
Cla
ss
and
Met
hod
Com
man
d
Lin
e
Eq
uiv
alen
t
Web
Por
tal
Man
ager
Eq
uiv
alen
t
ivad
min
_use
r_se
tmin
pw
dal
ph
as()
PD
Pol
icy.
setM
inP
wd
Alp
has
PD
Pol
icy
obje
ct.s
etM
inP
wd
Alp
has
pdad
min
poli
cy
set
min-
pass
word
-alp
has
[num
ber
|
unse
t]
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_se
tmin
pw
dle
n()
PD
Pol
icy.
setM
inP
wd
Len
PD
Pol
icy
obje
ct.s
etM
inP
wd
Len
pdad
min
poli
cy
set
min-
pass
word
-len
gth
[num
ber
|
unse
t]
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_se
tmin
pw
dn
onal
ph
as()
PD
Pol
icy.
setM
inP
wd
Non
Alp
has
PD
Pol
icy
obje
ct.s
etM
inP
wd
Non
Alp
has
pdad
min
poli
cy
set
min-
pass
word
-non
-alp
has
[num
ber
|
unse
t]
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_se
tpas
swor
d()
PD
Use
r.set
Pas
swor
d
PD
Use
r
obje
ct.s
etP
assw
ord
pdad
min
user
modi
fy
user
_nam
e
pass
word
pass
word
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Gen
eral
tab
ivad
min
_use
r_se
tpas
swor
dva
lid
()
PD
Use
r.set
Pas
swor
dV
alid
PD
Use
r
obje
ct.s
etP
assw
ord
Val
id
pdad
min
user
modi
fy
user
_nam
e
pass
word
-val
id
[yes
|
no]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Gen
eral
tab
ivad
min
_use
r_se
tpw
dsp
aces
()
PD
Pol
icy.
setP
wd
Sp
aces
All
owed
PD
Pol
icy
obje
ct.s
etP
wd
Sp
aces
All
owed
pdad
min
poli
cy
set
pass
word
-spa
ces
[yes
|
no
|
unse
t]
[-us
er
user
_nam
e]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
ivad
min
_use
r_se
tsso
use
r()
PD
Use
r.set
SS
OU
ser
PD
Use
r
obje
ct.s
etS
SO
Use
r
pdad
min
user
modi
fy
user
_nam
e
gsou
ser
[yes
|
no]
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Gen
eral
tab
ivad
min
_use
r_se
ttod
acce
ss()
PD
Pol
icy.
setT
odA
cces
s
PD
Pol
icy
obje
ct.s
etTo
dA
cces
s
pdad
min
poli
cy
set
tod-
acce
ss
tod_
valu
e
-use
r
user
_nam
e
Use
r
→
Sea
rch
Use
rs
→
ente
r
patt
ern
and
max
imum
resu
lts
→
Sea
rch
→
clic
k
user
nam
e
→
Pol
icy
tab
Appendix
D.
Administration
API
equivalents
85
Appendix
E.
Notices
This
information
was
developed
for
products
and
services
offered
in
the
U.S.A.
IBM
may
not
offer
the
products,
services,
or
features
discussed
in
this
document
in
other
countries.
Consult
your
local
IBM
representative
for
information
on
the
products
and
services
currently
available
in
your
area.
Any
reference
to
an
IBM
product,
program,
or
service
is
not
intended
to
state
or
imply
that
only
that
IBM
product,
program,
or
service
may
be
used.
Any
functionally
equivalent
product,
program,
or
service
that
does
not
infringe
any
IBM
intellectual
property
right
may
be
used
instead.
However,
it
is
the
user’s
responsibility
to
evaluate
and
verify
the
operation
of
any
non-IBM
product,
program,
or
service.
IBM
may
have
patents
or
pending
patent
applications
covering
subject
matter
described
in
this
document.
The
furnishing
of
this
document
does
not
give
you
any
license
to
these
patents.
You
can
send
license
inquiries,
in
writing,
to:
IBM
Director
of
Licensing
IBM
Corporation
North
Castle
Drive
Armonk,
NY
10504-1785
U.S.A.
For
license
inquiries
regarding
double-byte
(DBCS)
information,
contact
the
IBM
Intellectual
Property
Department
in
your
country
or
send
inquiries,
in
writing,
to:
IBM
World
Trade
Asia
Corporation
Licensing
2-31
Roppongi
3-chome,
Minato-ku
Tokyo
106-0032,
Japan
The
following
paragraph
does
not
apply
to
the
United
Kingdom
or
any
other
country
where
such
provisions
are
inconsistent
with
local
law:
INTERNATIONAL
BUSINESS
MACHINES
CORPORATION
PROVIDES
THIS
PUBLICATION
“AS
IS”
WITHOUT
WARRANTY
OF
ANY
KIND,
EITHER
EXPRESS
OR
IMPLIED,
INCLUDING,
BUT
NOT
LIMITED
TO,
THE
IMPLIED
WARRANTIES
OF
NON-INFRINGEMENT,
MERCHANTABILITY
OR
FITNESS
FOR
A
PARTICULAR
PURPOSE.
Some
states
do
not
allow
disclaimer
of
express
or
implied
warranties
in
certain
transactions,
therefore,
this
statement
may
not
apply
to
you.
This
information
could
include
technical
inaccuracies
or
typographical
errors.
Changes
are
periodically
made
to
the
information
herein;
these
changes
will
be
incorporated
in
new
editions
of
the
publication.
IBM
may
make
improvements
and/or
changes
in
the
product(s)
and/or
the
program(s)
described
in
this
publication
at
any
time
without
notice.
Any
references
in
this
information
to
non-IBM
Web
sites
are
provided
for
convenience
only
and
do
not
in
any
manner
serve
as
an
endorsement
of
those
Web
sites.
The
materials
at
those
Web
sites
are
not
part
of
the
materials
for
this
IBM
product
and
use
of
those
Web
sites
is
at
your
own
risk.
IBM
may
use
or
distribute
any
of
the
information
you
supply
in
any
way
it
believes
appropriate
without
incurring
any
obligation
to
you.
©
Copyright
IBM
Corp.
2002,
2003
87
Licensees
of
this
program
who
wish
to
have
information
about
it
for
the
purpose
of
enabling:
(i)
the
exchange
of
information
between
independently
created
programs
and
other
programs
(including
this
one)
and
(ii)
the
mutual
use
of
the
information
which
has
been
exchanged,
should
contact:
IBM
Corporation
2Z4A/101
11400
Burnet
Road
Austin,
TX
78758
U.S.A.
Such
information
may
be
available,
subject
to
appropriate
terms
and
conditions,
including
in
some
cases,
payment
of
a
fee.
The
licensed
program
described
in
this
information
and
all
licensed
material
available
for
it
are
provided
by
IBM
under
terms
of
the
IBM
Customer
Agreement,
IBM
International
Program
License
Agreement,
or
any
equivalent
agreement
between
us.
Information
concerning
non-IBM
products
was
obtained
from
the
suppliers
of
those
products,
their
published
announcements
or
other
publicly
available
sources.
IBM
has
not
tested
those
products
and
cannot
confirm
the
accuracy
of
performance,
compatibility
or
any
other
claims
related
to
non-IBM
products.
Questions
on
the
capabilities
of
non-IBM
products
should
be
addressed
to
the
suppliers
of
those
products.
All
statements
regarding
IBM’s
future
direction
or
intent
are
subject
to
change
or
withdrawal
without
notice,
and
represent
goals
and
objectives
only.
This
information
contains
examples
of
data
and
reports
used
in
daily
business
operations.
To
illustrate
them
as
completely
as
possible,
the
examples
include
the
names
of
individuals,
companies,
brands,
and
products.
All
of
these
names
are
fictitious
and
any
similarity
to
the
names
and
addresses
used
by
an
actual
business
enterprise
is
entirely
coincidental.
COPYRIGHT
LICENSE:
This
information
contains
sample
application
programs
in
source
language,
which
illustrate
programming
techniques
on
various
operating
platforms.
You
may
copy,
modify,
and
distribute
these
sample
programs
in
any
form
without
payment
to
IBM,
for
the
purposes
of
developing,
using,
marketing
or
distributing
application
programs
conforming
to
the
application
programming
interface
for
the
operating
platform
for
which
the
sample
programs
are
written.
These
examples
have
not
been
thoroughly
tested
under
all
conditions.
IBM,
therefore,
cannot
guarantee
or
imply
reliability,
serviceability,
or
function
of
these
programs.
You
may
copy,
modify,
and
distribute
these
sample
programs
in
any
form
without
payment
to
IBM
for
the
purposes
of
developing,
using,
marketing,
or
distributing
application
programs
conforming
to
IBM’s
application
programming
interfaces.
If
you
are
viewing
this
information
softcopy,
the
photographs
and
color
illustrations
may
not
appear.
Trademarks
The
following
terms
are
trademarks
or
registered
trademarks
of
International
Business
Machines
Corporation
in
the
United
States,
other
countries,
or
both:
88
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
AIX
DB2
IBM
IBM
logo
OS/390
SecureWay
Tivoli
Tivoli
logo
Universal
Database
WebSphere
z/OS
zSeries
Lotus
is
a
registered
trademark
of
Lotus
Development
Corporation
and/or
IBM
Corporation.
Domino
is
a
trademark
of
International
Business
Machines
Corporation
and
Lotus
Development
Corporation
in
the
United
States,
other
countries,
or
both.
Microsoft
and
Windows
are
trademarks
of
Microsoft
Corporation
in
the
United
States,
other
countries,
or
both.
Java
and
all
Java-based
trademarks
and
logos
are
trademarks
or
registered
trademarks
of
Sun
Microsystems,
Inc.
in
the
United
States
and
other
countries.
UNIX
is
a
registered
trademark
of
The
Open
Group
in
the
United
States
and
other
countries.
Other
company,
product,
and
service
names
may
be
trademarks
or
service
marks
of
others.
Appendix
E.
Notices
89
Glossary
A
access
control.
In
computer
security,
the
process
of
ensuring
that
the
resources
of
a
computer
system
can
be
accessed
only
by
authorized
users
in
authorized
ways.
access
control
list
(ACL).
In
computer
security,
a
list
that
is
associated
with
an
object
that
identifies
all
the
subjects
that
can
access
the
object
and
their
access
rights.
For
example,
an
access
control
list
is
a
list
that
is
associated
with
a
file
that
identifies
the
users
who
can
access
the
file
and
identifies
the
users’
access
rights
to
that
file.
access
permission.
The
access
privilege
that
applies
to
the
entire
object.
action.
An
access
control
list
(ACL)
permission
attribute.
See
also
access
control
list.
ACL.
See
access
control
list.
administration
service.
An
authorization
API
runtime
plug-in
that
can
be
used
to
perform
administration
requests
on
a
Tivoli
Access
Manager
resource
manager
application.
The
administration
service
will
respond
to
remote
requests
from
the
pdadmin
command
to
perform
tasks,
such
as
listing
the
objects
under
a
particular
node
in
the
protected
object
tree.
Customers
may
develop
these
services
using
the
authorization
ADK.
attribute
list.
A
linked
list
that
contains
extended
information
that
is
used
to
make
authorization
decisions.
Attribute
lists
consist
of
a
set
of
name
=
value
pairs.
authentication.
(1)
In
computer
security,
verification
of
the
identity
of
a
user
or
the
user’s
eligibility
to
access
an
object.
(2)
In
computer
security,
verification
that
a
message
has
not
been
altered
or
corrupted.
(3)
In
computer
security,
a
process
that
is
used
to
verify
the
user
of
an
information
system
or
of
protected
resources.
See
also
multi-factor
authentication,
network-based
authentication,
and
step-up
authentication.
authorization.
(1)
In
computer
security,
the
right
granted
to
a
user
to
communicate
with
or
make
use
of
a
computer
system.
(2)
The
process
of
granting
a
user
either
complete
or
restricted
access
to
an
object,
resource,
or
function.
authorization
rule.
See
rule.
authorization
service
plug-in.
A
dynamically
loadable
library
(DLL
or
shared
library)
that
can
be
loaded
by
the
Tivoli
Access
Manager
authorization
API
runtime
client
at
initialization
time
in
order
to
perform
operations
that
extend
a
service
interface
within
the
Authorization
API.
The
service
interfaces
that
are
currently
available
include
Administration,
External
Authorization,
Credentials
modification,
Entitlements
and
PAC
manipulation
interfaces.
Customers
may
develop
these
services
using
the
authorization
ADK.
B
BA.
See
basic
authentication.
basic
authentication.
A
method
of
authentication
that
requires
the
user
to
enter
a
valid
user
name
and
password
before
access
to
a
secure
online
resource
is
granted.
bind.
To
relate
an
identifier
to
another
object
in
a
program;
for
example,
to
relate
an
identifier
to
a
value,
an
address
or
another
identifier,
or
to
associate
formal
parameters
and
actual
parameters.
blade.
A
component
that
provides
application-specific
services
and
components.
business
entitlement.
The
supplemental
attribute
of
a
user
credential
that
describes
the
fine-grained
conditions
that
can
be
used
in
the
authorization
of
requests
for
resources.
C
CA.
See
certificate
authority.
CDAS.
See
Cross
Domain
Authentication
Service.
CDMF.
See
Cross
Domain
Mapping
Framework.
certificate.
In
computer
security,
a
digital
document
that
binds
a
public
key
to
the
identity
of
the
certificate
owner,
thereby
enabling
the
certificate
owner
to
be
authenticated.
A
certificate
is
issued
by
a
certificate
authority.
certificate
authority
(CA).
An
organization
that
issues
certificates.
The
certificate
authority
authenticates
the
certificate
owner’s
identity
and
the
services
that
the
owner
is
authorized
to
use,
issues
new
certificates,
renews
existing
certificates,
and
revokes
certificates
belonging
to
users
who
are
no
longer
authorized
to
use
them.
CGI.
See
common
gateway
interface.
©
Copyright
IBM
Corp.
2002,
2003
91
cipher.
Encrypted
data
that
is
unreadable
until
it
has
been
converted
into
plain
data
(decrypted)
with
a
key.
common
gateway
interface
(CGI).
An
Internet
standard
for
defining
scripts
that
pass
information
from
a
Web
server
to
an
application
program,
through
an
HTTP
request,
and
vice
versa.
A
CGI
script
is
a
CGI
program
that
is
written
in
a
scripting
language,
such
as
Perl.
configuration.
(1)
The
manner
in
which
the
hardware
and
software
of
an
information
processing
system
are
organized
and
interconnected.
(2)
The
machines,
devices,
and
programs
that
make
up
a
system,
subsystem,
or
network.
connection.
(1)
In
data
communication,
an
association
established
between
functional
units
for
conveying
information.
(2)
In
TCP/IP,
the
path
between
two
protocol
applications
that
provides
reliable
data
stream
delivery
service.
In
the
Internet,
a
connection
extends
from
a
TCP
application
on
one
system
to
a
TCP
application
on
another
system.
(3)
In
system
communications,
a
line
over
which
data
can
be
passed
between
two
systems
or
between
a
system
and
a
device.
container
object.
A
structural
designation
that
organizes
the
object
space
into
distinct
functional
regions.
cookie.
Information
that
a
server
stores
on
a
client
machine
and
accesses
during
subsequent
sessions.
Cookies
allow
servers
to
remember
specific
information
about
clients.
credentials.
Detailed
information,
acquired
during
authentication,
that
describes
the
user,
any
group
associations,
and
other
security-related
identity
attributes.
Credentials
can
be
used
to
perform
a
multitude
of
services,
such
as
authorization,
auditing,
and
delegation.
credentials
modification
service.
An
authorization
API
runtime
plug-in
which
can
be
used
to
modify
a
Tivoli
Access
Manager
credential.
Credentials
modification
services
developed
externally
by
customers
are
limited
to
performing
operation
to
add
and
remove
from
the
credentials
attribute
list
and
only
to
those
attributes
that
are
considered
modifiable.
cross
domain
authentication
service
(CDAS).
A
WebSEAL
service
that
provides
a
shared
library
mechanism
that
allows
you
to
substitute
the
default
WebSEAL
authentication
mechanisms
with
a
custom
process
that
returns
a
Tivoli
Access
Manager
identity
to
WebSEAL.
See
also
WebSEAL.
cross
domain
mapping
framework
(CDMF).
A
programming
interface
that
allows
a
developer
to
customize
the
mapping
of
user
identities
and
the
handling
of
user
attributes
when
WebSEAL
e-Community
SSO
function
are
used.
D
daemon.
A
program
that
runs
unattended
to
perform
continuous
or
periodic
systemwide
functions,
such
as
network
control.
Some
daemons
are
triggered
automatically
to
perform
their
task;
others
operate
periodically.
directory
schema.
The
valid
attribute
types
and
object
classes
that
can
appear
in
a
directory.
The
attribute
types
and
object
classes
define
the
syntax
of
the
attribute
values,
which
attributes
must
be
present,
and
which
attributes
may
be
present
for
the
directory.
distinguished
name
(DN).
The
name
that
uniquely
identifies
an
entry
in
a
directory.
A
distinguished
name
is
made
up
of
attribute:value
pairs,
separated
by
commas.
digital
signature.
In
e-commerce,
data
that
is
appended
to,
or
is
a
cryptographic
transformation
of,
a
data
unit
and
that
enables
the
recipient
of
the
data
unit
to
verify
the
source
and
integrity
of
the
unit
and
to
recognize
potential
forgery.
DN.
See
distinguished
name.
domain.
(1)
A
logical
grouping
of
users,
systems,
and
resources
that
share
common
services
and
usually
function
with
a
common
purpose.
(2)
That
part
of
a
computer
network
in
which
the
data
processing
resources
are
under
common
control.
See
also
domain
name.
domain
name.
In
the
Internet
suite
of
protocols,
a
name
of
a
host
system.
A
domain
name
consists
of
a
sequence
of
subnames
that
are
separated
by
a
delimiter
character.
For
example,
if
the
fully
qualified
domain
name
(FQDN)
of
a
host
system
is
as400.rchland.vnet.ibm.com,
each
of
the
following
is
a
domain
name:
as400.rchland.vnet.ibm.com,
vnet.ibm.com,
ibm.com.
E
EAS.
See
External
Authorization
Service.
encryption.
In
computer
security,
the
process
of
transforming
data
into
an
unintelligible
form
in
such
a
way
that
the
original
data
either
cannot
be
obtained
or
can
be
obtained
only
by
using
a
decryption
process.
entitlement.
A
data
structure
that
contains
externalized
security
policy
information.
Entitlements
contain
policy
data
or
capabilities
that
are
formatted
in
a
way
that
is
understandable
to
a
specific
application.
entitlement
service.
An
authorization
API
runtime
plug-in
which
can
be
used
to
return
entitlements
from
an
external
source
for
a
principal
or
set
of
conditions.
Entitlements
are
normally
application
specific
data
that
will
be
consumed
by
the
resource
manager
application
92
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
in
some
way
or
added
to
the
principal’s
credentials
for
use
further
on
in
the
authorization
process.
Customers
may
develop
these
services
using
the
authorization
ADK.
external
authorization
service.
An
authorization
API
runtime
plug-in
that
can
be
used
to
make
application
or
environment
specific
authorization
decisions
as
part
of
the
Tivoli
Access
Manager
authorization
decision
chain.
Customers
may
develop
these
services
using
the
authorization
ADK.
F
file
transfer
protocol
(FTP).
In
the
Internet
suite
of
protocols,
an
application
layer
protocol
that
uses
Transmission
Control
Protocol
(TCP)
and
Telnet
services
to
transfer
bulk-data
files
between
machines
or
hosts.
G
global
signon
(GSO).
A
flexible
single
sign-on
solution
that
enables
the
user
to
provide
alternative
user
names
and
passwords
to
the
back-end
Web
application
server.
Global
signon
grants
users
access
to
the
computing
resources
they
are
authorized
to
use
—
through
a
single
login.
Designed
for
large
enterprises
consisting
of
multiple
systems
and
applications
within
heterogeneous,
distributed
computing
environments,
GSO
eliminates
the
need
for
users
to
manage
multiple
user
names
and
passwords.
See
also
single
signon.
GSO.
See
global
signon.
H
host.
A
computer
that
is
connected
to
a
network
(such
as
the
Internet
or
an
SNA
network)
and
provides
an
access
point
to
that
network.
Also,
depending
on
the
environment,
the
host
may
provide
centralized
control
of
the
network.
The
host
can
be
a
client,
a
server,
or
both
a
client
and
a
server
simultaneously.
HTTP.
See
Hypertext
Transfer
Protocol.
hypertext
transfer
protocol
(HTTP).
In
the
Internet
suite
of
protocols,
the
protocol
that
is
used
to
transfer
and
display
hypertext
documents.
I
Internet
protocol
(IP).
In
the
Internet
suite
of
protocols,
a
connectionless
protocol
that
routes
data
through
a
network
or
interconnected
networks
and
acts
as
an
intermediary
between
the
higher
protocol
layers
and
the
physical
network.
Internet
suite
of
protocols.
A
set
of
protocols
developed
for
use
on
the
Internet
and
published
as
Requests
for
Comments
(RFCs)
through
the
Internet
Engineering
Task
Force
(IETF).
interprocess
communication
(IPC).
(1)
The
process
by
which
programs
communicate
data
to
each
other
and
synchronize
their
activities.
Semaphores,
signals,
and
internal
message
queues
are
common
methods
of
interprocess
communication.
(2)
A
mechanism
of
an
operating
system
that
allows
processes
to
communicate
with
each
other
within
the
same
computer
or
over
a
network.
IP.
See
Internet
Protocol.
IPC.
See
Interprocess
Communication.
J
junction.
An
HTTP
or
HTTPS
connection
between
a
front-end
WebSEAL
server
and
a
back-end
Web
application
server.
WebSEAL
uses
a
junction
to
provide
protective
services
on
behalf
of
the
back-end
server.
K
key.
In
computer
security,
a
sequence
of
symbols
that
is
used
with
a
cryptographic
algorithm
for
encrypting
or
decrypting
data.
See
private
key
and
public
key.
key
database
file.
See
key
ring.
key
file.
See
key
ring.
key
pair.
In
computer
security,
a
public
key
and
a
private
key.
When
the
key
pair
is
used
for
encryption,
the
sender
uses
the
public
key
to
encrypt
the
message,
and
the
recipient
uses
the
private
key
to
decrypt
the
message.
When
the
key
pair
is
used
for
signing,
the
signer
uses
the
private
key
to
encrypt
a
representation
of
the
message,
and
the
recipient
uses
the
public
key
to
decrypt
the
representation
of
the
message
for
signature
verification.
key
ring.
In
computer
security,
a
file
that
contains
public
keys,
private
keys,
trusted
roots,
and
certificates.
L
LDAP.
See
Lightweight
Directory
Access
Protocol.
lightweight
directory
access
protocol
(LDAP).
An
open
protocol
that
(a)
uses
TCP/IP
to
provide
access
to
directories
that
support
an
X.500
model
and
(b)
does
not
incur
the
resource
requirements
of
the
more
complex
X.500
Directory
Access
Protocol
(DAP).
Applications
that
use
LDAP
(known
as
directory-enabled
applications)
can
use
the
directory
as
a
common
data
store
and
for
retrieving
information
about
people
or
services,
such
as
addresses,
public
keys,
or
service-specific
configuration
parameters.
LDAP
was
originally
specified
in
RFC
Glossary
93
1777.
LDAP
version
3
is
specified
in
RFC
2251,
and
the
IETF
continues
work
on
additional
standard
functions.
Some
of
the
IETF-defined
standard
schemas
for
LDAP
are
found
in
RFC
2256.
lightweight
third
party
authentication
(LTPA).
An
authentication
framework
that
allows
single
sign-on
across
a
set
of
Web
servers
that
fall
within
an
Internet
domain.
LTPA.
See
lightweight
third
party
authentication.
M
management
domain.
The
default
domain
in
which
Tivoli
Access
Manager
enforces
security
policies
for
authentication,
authorization,
and
access
control.
This
domain
is
created
when
the
policy
server
is
configured.
See
also
domain.
management
server.
Obsolete.
See
policy
server.
metadata.
Data
that
describes
the
characteristics
of
stored
data.
migration.
The
installation
of
a
new
version
or
release
of
a
program
to
replace
an
earlier
version
or
release.
multi-factor
authentication.
A
protected
object
policy
(POP)
that
forces
a
user
to
authenticate
using
two
or
more
levels
of
authentication.
For
example,
the
access
control
on
a
protected
resource
can
require
that
the
users
authenticate
with
both
user
name/password
and
user
name/token
passcode.
See
also
protected
object
policy.
multiplexing
proxy
agent
(MPA).
A
gateway
that
accommodates
multiple
client
access.
These
gateways
are
sometimes
known
as
Wireless
Access
Protocol
(WAP)
gateways
when
clients
access
a
secure
domain
using
a
WAP.
Gateways
establish
a
single
authenticated
channel
to
the
originating
server
and
tunnel
all
client
requests
and
responses
through
this
channel.
N
network-based
authentication.
A
protected
object
policy
(POP)
that
controls
access
to
objects
based
on
the
internet
protocol
(IP)
address
of
the
user.
See
also
protected
object
policy.
P
PAC.
See
privilege
attribute
certificate.
permission.
The
ability
to
access
a
protected
object,
such
as
a
file
or
directory.
The
number
and
meaning
of
permissions
for
an
object
are
defined
by
the
access
control
list
(ACL).
See
also
access
control
list.
policy.
A
set
of
rules
that
are
applied
to
managed
resources.
policy
server.
The
Tivoli
Access
Manager
server
that
maintains
the
location
information
about
other
servers
in
the
secure
domain.
polling.
The
process
by
which
databases
are
interrogated
at
regular
intervals
to
determine
if
data
needs
to
be
transmitted.
POP.
See
protected
object
policy.
portal.
An
integrated
Web
site
that
dynamically
produces
a
customized
list
of
Web
resources,
such
as
links,
content,
or
services,
available
to
a
specific
user,
based
on
the
access
permissions
for
the
particular
user.
privilege
attribute
certificate.
A
digital
document
that
contains
a
principal’s
authentication
and
authorization
attributes
and
a
principal’s
capabilities.
privilege
attribute
certificate
service.
An
authorization
API
runtime
client
plug-in
which
translates
a
PAC
of
a
predetermined
format
in
to
a
Tivoli
Access
Manager
credential,
and
vice-versa.
These
services
could
also
be
used
to
package
or
marshall
a
Tivoli
Access
Manager
credential
for
transmission
to
other
members
of
the
secure
domain.
Customers
may
develop
these
services
using
the
authorization
ADK.
See
also
privilege
attribute
certificate.
protected
object.
The
logical
representation
of
an
actual
system
resource
that
is
used
for
applying
ACLs
and
POPs
and
for
authorizing
user
access.
See
also
protected
object
policy
and
protected
object
space.
protected
object
policy
(POP).
A
type
of
security
policy
that
imposes
additional
conditions
on
the
operation
permitted
by
the
ACL
policy
to
access
a
protected
object.
It
is
the
responsibility
of
the
resource
manager
to
enforce
the
POP
conditions.
See
also
access
control
list,
protected
object,
and
protected
object
space.
protected
object
space.
The
virtual
object
representation
of
actual
system
resources
that
is
used
for
applying
ACLs
and
POPs
and
for
authorizing
user
access.
See
also
protected
object
and
protected
object
policy.
private
key.
In
computer
security,
a
key
that
is
known
only
to
its
owner.
Contrast
with
public
key.
public
key.
In
computer
security,
a
key
that
is
made
available
to
everyone.
Contrast
with
private
key.
Q
quality
of
protection.
The
level
of
data
security,
determined
by
a
combination
of
authentication,
integrity,
and
privacy
conditions.
94
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
R
registry.
The
datastore
that
contains
access
and
configuration
information
for
users,
systems,
and
software.
replica.
A
server
that
contains
a
copy
of
the
directory
or
directories
of
another
server.
Replicas
back
up
servers
in
order
to
enhance
performance
or
response
times
and
to
ensure
data
integrity.
resource
object.
The
representation
of
an
actual
network
resource,
such
as
a
service,
file,
and
program.
response
file.
A
file
that
contains
a
set
of
predefined
answers
to
questions
asked
by
a
program
and
that
is
used
instead
of
entering
those
values
one
at
a
time.
role
activation.
The
process
of
applying
the
access
permissions
to
a
role.
role
assignment.
The
process
of
assigning
a
role
to
a
user,
such
that
the
user
has
the
appropriate
access
permissions
for
the
object
defined
for
that
role.
routing
file.
An
ASCII
file
that
contains
commands
that
control
the
configuration
of
messages.
RSA
encryption.
A
system
for
public-key
cryptography
used
for
encryption
and
authentication.
It
was
invented
in
1977
by
Ron
Rivest,
Adi
Shamir,
and
Leonard
Adleman.
The
system’s
security
depends
on
the
difficulty
of
factoring
the
product
of
two
large
prime
numbers.
rule.
One
or
more
logical
statements
that
enable
the
event
server
to
recognize
relationships
among
events
(event
correlation)
and
to
execute
automated
responses
accordingly.
run
time.
The
time
period
during
which
a
computer
program
is
executing.
A
runtime
environment
is
an
execution
environment.
S
scalability.
The
ability
of
a
network
system
to
respond
to
increasing
numbers
of
users
who
access
resources.
schema.
The
set
of
statements,
expressed
in
a
data
definition
language,
that
completely
describe
the
structure
of
a
database.
In
a
relational
database,
the
schema
defines
the
tables,
the
fields
in
each
table,
and
the
relationships
between
fields
and
tables.
secure
sockets
layer
(SSL).
A
security
protocol
that
provides
communication
privacy.
SSL
enables
client/server
applications
to
communicate
in
a
way
that
is
designed
to
prevent
eavesdropping,
tampering,
and
message
forgery.
SSL
was
developed
by
Netscape
Communications
Corp.
and
RSA
Data
Security,
Inc.
security
management.
The
management
discipline
that
addresses
an
organization’s
ability
to
control
access
to
applications
and
data
that
are
critical
to
its
success.
self-registration.
The
process
by
which
a
user
can
enter
required
data
and
become
a
registered
Tivoli
Access
Manager
user,
without
the
involvement
of
an
administrator.
service.
Work
performed
by
a
server.
A
service
can
be
a
simple
request
for
data
to
be
sent
or
stored
(as
with
file
servers,
HTTP
servers,
servers,
and
finger
servers),
or
it
can
be
more
complex
work
such
as
that
of
servers
or
process
servers.
silent
installation.
An
installation
that
does
not
send
messages
to
the
console
but
instead
stores
messages
and
errors
in
log
files.
Also,
a
silent
installation
can
use
response
files
for
data
input.
See
also
response
file.
single
signon
(SSO).
The
ability
of
a
user
to
logon
once
and
access
multiple
applications
without
having
to
logon
to
each
application
separately.
See
also
global
signon.
SSL.
See
Secure
Sockets
Layer.
SSO.
See
single
signon.
step-up
authentication.
A
protected
object
policy
(POP)
that
relies
on
a
preconfigured
hierarchy
of
authentication
levels
and
enforces
a
specific
level
of
authentication
according
to
the
policy
set
on
a
resource.
The
step-up
authentication
POP
does
not
force
the
user
to
authenticate
using
multiple
levels
of
authentication
to
access
any
given
resource
but
requires
the
user
to
authenticate
at
a
level
at
least
as
high
as
that
required
by
the
policy
protecting
a
resource.
suffix.
A
distinguished
name
that
identifies
the
top
entry
in
a
locally
held
directory
hierarchy.
Because
of
the
relative
naming
scheme
used
in
Lightweight
Directory
Access
Protocol
(LDAP),
this
suffix
applies
to
every
other
entry
within
that
directory
hierarchy.
A
directory
server
can
have
multiple
suffixes,
each
identifying
a
locally
held
directory
hierarchy.
T
token.
(1)
In
a
local
area
network,
the
symbol
of
authority
passed
successively
from
one
data
station
to
another
to
indicate
the
station
temporarily
in
control
of
the
transmission
medium.
Each
data
station
has
an
opportunity
to
acquire
and
use
the
token
to
control
the
medium.
A
token
is
a
particular
message
or
bit
pattern
that
signifies
permission
to
transmit.
(2)
In
local
area
networks
(LANs),
a
sequence
of
bits
passed
from
one
device
to
another
along
the
transmission
medium.
When
the
token
has
data
appended
to
it,
it
becomes
a
frame.
Glossary
95
trusted
root.
In
the
Secure
Sockets
Layer
(SSL),
the
public
key
and
associated
distinguished
name
of
a
certificate
authority
(CA).
U
uniform
resource
identifier
(URI).
The
character
string
used
to
identify
content
on
the
Internet,
including
the
name
of
the
resource
(a
directory
and
file
name),
the
location
of
the
resource
(the
computer
where
the
directory
and
file
name
exist),
and
how
the
resource
can
be
accessed
(the
protocol,
such
as
HTTP).
An
example
of
a
URI
is
a
uniform
resource
locator,
or
URL.
uniform
resource
locator
(URL).
A
sequence
of
characters
that
represent
information
resources
on
a
computer
or
in
a
network
such
as
the
Internet.
This
sequence
of
characters
includes
(a)
the
abbreviated
name
of
the
protocol
used
to
access
the
information
resource
and
(b)
the
information
used
by
the
protocol
to
locate
the
information
resource.
For
example,
in
the
context
of
the
Internet,
these
are
abbreviated
names
of
some
protocols
used
to
access
various
information
resources:
http,
ftp,
gopher,
telnet,
and
news;
and
this
is
the
URL
for
the
IBM
home
page:
http://www.ibm.com.
URI.
See
uniform
resource
identifier.
URL.
See
uniform
resource
locator.
user.
Any
person,
organization,
process,
device,
program,
protocol,
or
system
that
uses
a
service
provided
by
others.
user
registry.
See
registry.
V
virtual
hosting.
The
capability
of
a
Web
server
that
allows
it
to
appear
as
more
than
one
host
to
the
Internet.
W
Web
Portal
Manager
(WPM).
A
Web-based
graphical
application
used
to
manage
Tivoli
Access
Manager
Base
and
WebSEAL
security
policy
in
a
secure
domain.
An
alternative
to
the
pdadmin
command
line
interface,
this
GUI
enables
remote
administrator
access
and
enables
administrators
to
create
delegated
user
domains
and
assign
delegate
administrators
to
these
domains.
WebSEAL.
A
Tivoli
Access
Manager
blade.
WebSEAL
is
a
high
performance,
multi-threaded
Web
server
that
applies
a
security
policy
to
a
protected
object
space.
WebSEAL
can
provide
single
sign-on
solutions
and
incorporate
back-end
Web
application
server
resources
into
its
security
policy.
WPM.
See
Web
Portal
Manager.
96
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
Index
Aaccess
control
list
entries,
table
31
access
control
list
entry
types
30
access
control
lists,
table
30
account
functions,
table
21,
22
accounts
20
action
group
functions,
table
32
action
groupsoverview
32
adding
development
systems
3
ADK
component
2
administration
tasks
49
any-authenticated
30
any-other
30
API
differences
61
application
developer
kit
(ADK)
2
application
development
kit
(ADK)
2
application,
deploying
5
applications,
building
3
audit
log
37
audit
records
37
authenticationcertificate-based
13
user
ID
and
password-based
12
authorization
rulesadministering
39
methods
39
authorization
server
6
Bbuilding
applications
3
Ccom.tivoli.mts.SrvSslCfg()
55
com.tivoli.nts.PDAttrs
55
com.tivoli.nts.PDAttrs.get()
55
com.tivoli.nts.PDAttrs()
55
com.tivoli.nts.PDAttrValue
55
com.tivoli.nts.PDAttrValueList
55
com.tivoli.nts.PDStatics
55
com.tivoli.pd.jadmin.PDProtObject
constructor
55
com.tivoli.pd.jadmin.PDProtObject.listProtectedObjects
55
com.tivoli.pd.jadmin.PDServer.getTaskList
55
com.tivoli.pd.jadmin.PDServer.performTask
55
com.tivoli.pd.PDAppSvrConfig.configureAppSvr()
55
commands,
pdadmin
2
commands,
svrsslcfg
2
components
2
createGroup
method
23
createUser
method
19
Ddemonstration
program
5
deploying
an
application
5
deprecated
classes
and
methods
55
com.tivoli.mts.SrvSslCfgs()
55
deprecated
classes
and
methods
(continued)com.tivoli.nts.PDAttrs
55
com.tivoli.nts.PDAttrs.get()
55
com.tivoli.nts.PDAttrs()
55
com.tivoli.nts.PDAttrValue
55
com.tivoli.nts.PDAttrValueList
55
com.tivoli.nts.PDStatics
55
com.tivoli.pd.jadmin.PDProtObject
constructor
55
com.tivoli.pd.jadmin.PDProtObject.listProtectedObjects
55
com.tivoli.pd.jadmin.PDServer.getTaskList
55
com.tivoli.pd.jadmin.PDServer.performTask
55
com.tivoli.pd.PDAppSvrConfig.configureAppSvr()
55
PDProtObject.getAcl
55
PDProtObject.getAuthzRule
55
PDProtObject.getPop
55
development
systems,
adding
3
domainsadministering
45
management
45
methods
for
administering
45
Eexample
program
5
extended
action
functions,
table
33
extended
actions,
overview
33
Ffiles,
installation
directories
3
GgetLocalDomainName
45
getMgmtDomainName
45
getting
administration
tasks
49
group
attributes,
table
24
group
functions,
table
24
groupsaccess
control
list
entry
type
30
overview
19
IIBM
SecureWay
Directory
client
4
initializing
API
12
installation
3
installation
directories
3
installation
requirements
3
JJava
classes
1
Javadoc
information
2
Llog
files
6,
7
©
Copyright
IBM
Corp.
2002,
2003
97
loggingmessages
6
PDJTracelogger
6
trace
output
7
Mmanagement
domain
45
message
logging
6
methodsPDAcl.listAcls
17
PDAdmin.initialize
12
PDAdmin.shutdown
18
PDAuthzRule.listAuthzRules
17
PDDomain.listDomains
17
PDGroup.createGroup
23
PDGroup.importGroup
23
PDGroup.listGroups
17
PDPolicy.acctDisableTimeEnforced
21
PDPolicy.acctDisableTimeUnlimited
21
PDPolicy.acctExpDateEnforced
21
PDPolicy.acctExpDateUnlimited
21
PDPolicy.getAccessEndTime
22
PDPolicy.getAccessibleDays
22
PDPolicy.getAccessStartTime
22
PDPolicy.getAccessTimezone
22
PDPolicy.getAcctDisableTimeInterval
21
PDPolicy.getAcctExpDate
21
PDPolicy.getMaxFailedLogins
22
PDPolicy.maxFailedLoginsEnforced
22
PDPolicy.setAcctDisableTime
22
PDPolicy.setAcctExpDate
22
PDPolicy.setMaxFailedLogins
22
PDPolicy.setTodAccess
22
PDPolicy.todAccessEnforced
22
PDProtObject.listProtObjects
17
PDProtObject.listProtObjectsByAcl
17
PDProtObjectSpace.listProtObjectSpaces
17
PDUser.createUser
14,
19,
20
PDUser.deleteUser
17,
19,
20
PDUser.getDescription
16,
20
PDUser.getFirstName
20
PDUser.getGroups
20
PDUser.getId
20
PDUser.getLastName
20
PDUser.getPolicy
20
PDUser.getRgyName
20
PDUser.getUserRgy
21
PDUser.importUser
19,
20
PDUser.isAccountValid
20
PDUser.isPDUser
20
PDUser.isSSOUser
21
PDUser.listUsers
17,
20
PDUser.setAccountValid
16,
21
PDUser.setDescription
21
PDUser.setPassword
21
PDUser.setPasswordValid
21
PDUser.setSSOUser
21
Nnotification
wait
time
50
Oobjects
PDAcl
10,
30
PDAclEntry
10,
30
PDAclEntryAnyOther
10,
30
PDAclEntryGroup
10,
30
PDAclEntryUnAuth
10,
30
PDAclEntryUser
10,
30
PDAction
10
PDActionGroup
10
PDAdmin
9
PDAdmSvcPobj
10
PDAppSvrInfo
11
PDAppSvrSpecLocal
11
PDAppSvrSpecRemote
11
PDAttrs
11
PDAttrValue
11
PDAttrValueList
12
PDAttrValues
12
PDContext
9,
53
PDException
11,
53
PDGroup
9,
23
PDMessage
11,
17
PDMessages
11,
17,
53
PDPolicy
10,
21
PDPop
10
PDProtObject
10
PDProtObjectSpace
10,
25
PDRgyGroupName
10
PDRgyName
11
PDRgyUserName
10
PDServer
11
PDSSOCred.CredID
11
PDSSOCred.CredInfo
11
PDSSOResource
11
PDSSOResourceGroup
11
PDSvrInfo
11
PDUser
9,
19
Ppassword
functions,
table
22,
23
passwords
21,
22
PD.jar
file
1
pdacld
server
6
pdadmin
command
line
utility
2
PDContext
object
53
PDException
object
53
PDGroup
23
PDJlog.properties
6,
7
PDJTraceLogger
6
PDMessages
object
53
pdmgrd
server
6
PDProtObject.getAcl
55
PDProtObject.getAuthzRule
55
PDProtObject.getPop
55
PDUser
19
PDUser.deleteUser
method
19
performing
administration
tasks
49
policy
server
6
problem
determination
5
protected
object
attributes
27
protected
object
functions,
table
26,
27
protected
object
policies
35
administering
35
defined
25
98
IBM
Tivoli
Access
Manager
for
e-business:
Administration
Java
Classes
Developer
Reference
protected
object
policy
(POP)
25
protected
object
policy
extended
attributes
37
protected
object
policy
extended
attributes,
table
37
protected
object
policy
objects
35
protected
object
policy
objects,
table
35
protected
object
policy
settings
36
protected
object
policy
settings,
table
37
protected
object
space
functions,
table
26
protected
object
spaces
25
protected
objects
25,
26
Rregistry,
user
4
related
publications
xi
replica
databases,
notification
threads
50
replica
databases,
notifying
of
updates
49,
50
requirements,
for
installation
3
response
processing
53
Ssecure
domain
3
Secure
Sockets
Layer
(SSL)
2
security
context
12,
53
servers
and
databases,
table
51
software
requirements
3
svrsslcfg
command
line
utility
2
Ttracing
Java
classes
7
Uunauthenticated
30
Unicode
18
user
account
functions,
table
21,
22
user
accounts
20
user
functions,
table
20
user
password
functions,
table
22,
23
user
passwords
21,
22
user
registry
4
differences
xv,
57
maximum
values
58,
59
users
19,
30
using
the
administration
API
9
UTF-8
18
Wwait
time
50
warning
attribute
37
Index
99