|
| Here is the error message I'm getting. Below is my updated jacl script. Could someone please help.
WASX7209I: Connected to process "dmgr" on node scm-unitc-63_dm using SOAP connector; The type of process is: DeploymentManager
Adding group GROUP1 as Administrators...
Adding group GROUP2 as Administrators...
Adding group GROUP3 as Monitors...
Adding group GROUP4 as Deployers...
WASX7015E: Exception running command: "enableSecurity dm-cell-01 userid password {GROUP5}"; exception information:
com.ibm.bsf.BSFException: error while eval'ing Jacl expression:
can't read "deployerRoleAssignment": no such variable
while executing
"addGroupToRole $deployerRoleAssignment $newgroup"
("foreach" body line 3)
invoked from within
"foreach newgroup $deployerGroups {
puts " Adding group $newgroup as Deployers..."
addGroupToRole $deployerRoleAssignm..."
(procedure "setupUsers" line 53)
invoked from within
"setupUsers $programGroup"
(procedure "enableSecurity" line 7)
invoked from within
"enableSecurity dm-cell-01 userid password {GROUP5}"
WASX7015E: Exception running command: "$AdminConfig save"; exception information:
com.ibm.websphere.management.exception.ConfigServiceException
com.ibm.ws.sm.workspace.WorkSpaceException: RepositoryException while retry updating documents in master repository
WASX7341W: No "save" was performed before the interactive scripting session exited; configuration changes will not be saved.
****************************************
************************************
set administrators [ list ]
set administratorGroups [ list GROUP1 GROUP2]
set monitors [ list ]
set monitorGroups [ list GROUP3 ]
set deployers [ list ]
set deployerGroups [ list GROUP1 GROUP2]
set adminsecuritymanagers [ list ]
set adminsecuritymanagerGroups [ list GROUP1 GROUP2]
set iscadmins [ list ]
set iscadminsGroups [ list GROUP1 GROUP2]
proc enableSecurity { cell userid password programGroup } {
global AdminConfig
setupLDAP $cell $userid $password
setupLTPA $cell $password
setupSecurity $cell
setupUsers $programGroup
}
proc setupSecurity { cell } {
global AdminConfig
set sec [ $AdminConfig getid /Cell:$cell/Security:/ ]
set enableAttr [ list enabled true ]
set java2attr [ list enforceJava2Security false ]
set userRegistry [ $AdminConfig list LDAPUserRegistry $sec ]
set urAttr [ list activeUserRegistry $userRegistry ]
set attrs [ list $enableAttr $java2attr $urAttr ]
$AdminConfig modify $sec $attrs
}
proc setupLDAP { cell userid password } {
global AdminConfig
set org {OU=Service Accounts,OU=Applications,DC=domain,DC=co
m}
set idAttr [ list serverId CN=$userid,$org ]
set passwordAttr [ list serverPassword $password ]
set ignoreCaseAttr [ list ignoreCase true ]
set baseDNAttr [ list baseDN dc=domain,dc=com ]
set bindDNAttr [ list bindDN CN=$userid,$org ]
set bindPasswordAttr [ list bindPassword $password ]
set realmAttr [ list realm server.domain.com:389 ]
set typeAttr [ list type ACTIVE_DIRECTORY ]
set sec [ $AdminConfig getid /Cell:$cell/Security:/ ]
set userRegistry [ $AdminConfig list LDAPUserRegistry $sec ]
set attrs [ list $idAttr $passwordAttr $ignoreCaseAttr $baseDNAttr $bindDNAttr $bindPasswordAttr $typeAttr $realmAttr ]
$AdminConfig modify $userRegistry $attrs
set endpoint [lindex [lindex [$AdminConfig showAttribute $userRegistry hosts] 0] 0]
set hostAttr [ list host server.domain.com ]
set portAttr [ list port 389 ]
set attrs [ list $hostAttr $portAttr ]
$AdminConfig modify $endpoint $attrs
set mapModeAttr [ list certificateMapMode EXACT_DN ]
set groupFilterAttr [ list groupFilter {(&(cn=%v)(objectcategory=group))} ]
set groupIdMapAttr [ list groupIdMap *:cn ]
set groupMemberIdMapAttr [ list groupMemberIdMap memberof:member ]
set userFilterAttr [ list userFilter {(& (sAMAccountName=%v)(objectcategory=user)
)} ]
set userIdMapAttr [ list userIdMap user:sAMAccountName ]
set attrs [ list $mapModeAttr $groupFilterAttr $groupIdMapAttr $groupMemberIdMapAttr $userFilterAttr $userIdMapAttr ]
set searchFilter [ $AdminConfig showAttribute $userRegistry searchFilter ]
$AdminConfig modify $searchFilter $attrs
}
proc setupLTPA { cell password } {
global AdminConfig
global AdminControl
set sec [ $AdminConfig getid /Cell:$cell/Security:/ ]
set ltpa [ $AdminConfig list LTPA $sec ]
set secMbean [ $AdminControl queryNames type=SecurityAdmin,process=dmgr,* ]
set timeoutAttr [ list timeout 720 ]
set passwordAttr [ list password $password ]
$AdminControl invoke $secMbean generateKeys $password
set exportedKeys [ $AdminControl invoke $secMbean exportLTPAKeys ]
for { set x 0 } { $x < 7 } { incr x } {
set key [lindex [lindex $exportedKeys $x] 0]
set value [lindex [lindex $exportedKeys $x] 1]
if {[ string compare $key com.ibm.websphere.ltpa.3DESKey] == 0} {
set sharedKey $value
} elseif {[string compare $key com.ibm.websphere.ltpa.PrivateKey] == 0} {
set privateKey $value
} elseif {[string compare $key com.ibm.websphere.ltpa.PublicKey] == 0} {
set publicKey $value
}
}
set sharedAttr [list shared [list [list byteArray $sharedKey]]]
set privateAttr [list private [list [list byteArray $privateKey]]]
set publicAttr [list public [list [list byteArray $publicKey]]]
set attrs [ list $timeoutAttr $passwordAttr $sharedAttr $privateAttr $publicAttr ]
$AdminConfig modify $ltpa $attrs
}
proc setupUsers { programGroup } {
global AdminConfig
global administrators
global administratorGroups
global monitors
global monitorGroups
global deployers
global deployerGroups
global adminsecuritymanagers
global adminsecuritymanagerGroups
global iscadmins
global iscadminsGroups
foreach assignment [ $AdminConfig list RoleAssignmentExt ] {
set roleLink [ $AdminConfig showAttribute $assignment role ]
set roleName [ $AdminConfig showAttribute $roleLink roleName ]
if {[string compare administrator $roleName] == 0} {
set adminRoleAssignment $assignment
}
if {[string compare monitor $roleName] == 0} {
set monitorRoleAssignment $assignment
}
}
foreach user [ $AdminConfig list UserExt ] {
lappend existing [ $AdminConfig showAttribute $user name ]
}
foreach newuser $administrators {
puts " Adding user $newuser as an Administrator..."
addUserToRole $adminRoleAssignment $newuser
}
foreach newgroup $administratorGroups {
puts " Adding group $newgroup as Administrators..."
addGroupToRole $adminRoleAssignment $newgroup
}
foreach newuser $monitors {
puts " Adding user $newuser as a Monitor..."
addUserToRole $monitorRoleAssignment $newuser
}
foreach newgroup $monitorGroups {
puts " Adding group $newgroup as Monitors..."
addGroupToRole $monitorRoleAssignment $newgroup
}
foreach newuser $deployers {
puts " Adding user $newuser as a Deployer..."
addUserToRole $deployerRoleAssignment $newuser
}
foreach newgroup $deployerGroups {
puts " Adding group $newgroup as Deployers..."
addGroupToRole $deployerRoleAssignment $newgroup
}
foreach newuser $adminsecuritymanagers {
puts " Adding user $newuser as a adminsecuritymanager..."
addUserToRole $adminsecuritymanagerRoleAssignment $newuser
}
foreach newgroup $adminsecuritymanagerGroups {
puts " Adding group $newgroup as adminsecuritymanagers..."
addGroupToRole $adminsecuritymanagerRoleAssignment $newgroup
}
foreach newuser $iscadmins {
puts " Adding user $newuser as a iscadmins..."
addUserToRole $iscadminsRoleAssignment $newuser
}
foreach newgroup $iscadminsGroups {
puts " Adding group $newgroup as iscadmins..."
addGroupToRole $iscadminsRoleAssignment $newgroup
}
if {[string compare $programGroup ""] != 0} {
puts " Adding group $programGroup as Monitors..."
addGroupToRole $monitorRoleAssignment $programGroup
}
}
proc addUserToRole { roleAssignment username } {
global AdminConfig
foreach user [ lindex [ $AdminConfig showAttribute $roleAssignment users ] 0 ] {
set nextName [ $AdminConfig showAttribute $user name ]
if {[string compare $nextName $username] == 0} {
puts " User $user already exists..."
return
}
}
set nameAttr [ list name $username ]
set attrs [ list $nameAttr ]
set newuser [ $AdminConfig create UserExt $roleAssignment $attrs users ]
}
proc addGroupToRole { roleAssignment groupname } {
global AdminConfig
foreach group [ lindex [ $AdminConfig showAttribute $roleAssignment groups ] 0 ] {
set nextName [ $AdminConfig showAttribute $group name ]
if {[string compare $nextName $groupname] == 0} {
puts " Group $group already exists..."
return
}
}
set nameAttr [ list name $groupname ]
set attrs [ list $nameAttr ]
set newuser [ $AdminConfig create GroupExt $roleAssignment $attrs groups ]
}
proc addUser { username role } {
global AdminConfig
foreach assignment [ $AdminConfig list RoleAssignmentExt ] {
set roleLink [ $AdminConfig showAttribute $assignment role ]
set roleName [ $AdminConfig showAttribute $roleLink roleName ]
if {[string compare $role $roleName] == 0} {
set roleAssignment $assignment
}
}
addUserToRole $roleAssignment $username
}
proc removeUser { username role } {
global AdminConfig
foreach assignment [ $AdminConfig list RoleAssignmentExt ] {
set roleLink [ $AdminConfig showAttribute $assignment role ]
set roleName [ $AdminConfig showAttribute $roleLink roleName ]
if {[string compare $role $roleName] == 0} {
set roleAssignment $assignment
}
}
foreach user [ lindex [ $AdminConfig showAttribute $roleAssignment users ] 0 ] {
set nextName [ $AdminConfig showAttribute $user name ]
if {[string compare $nextName $username] == 0} {
puts " Removing user $user..."
$AdminConfig remove $user
}
}
}
proc disableServerSecurity { cell node server } {
global AdminConfig
set appserv [ $AdminConfig getid /Cell:$cell/Node:$node/Server:$server/ ]
set sec [ $AdminConfig list Security $appserv ]
set enabledAttr [ list enabled false ]
set enforceJava2SecurityAttr [ list enforceJava2Security false ]
set attrs [ list $enabledAttr $enforceJava2SecurityAttr ]
if {[string compare $sec ""] == 0} {
set sec [ $AdminConfig create Security $appserv $attrs ]
} else {
$AdminConfig modify $sec $attrs
}
}
|
|