How to configure “Cross-cell single sign-on” in WebSphere with Jython

To configure "Cross-cell single sign-on" in the WebSphere 6.1 admin console with a Jython script, you can use the script below. This assumes that you've exported the keys from the server you are going to connect to.

import java.lang.String as jstr
import java.util.Properties as jprops
import java.io as jio
import javax.management as jmgmt

keyfilepassword = "somepassword"

# Import LTPA Keys
AdminConfig.save(); # This needs to happen so you can write to the Security file.
keyFile = "C:/projects/custom-security/was61keys";
fin = jio.FileInputStream(keyFile);
wasdev61keys = jprops();
wasdev61keys.load(fin);
fin.close();
password = jstr(keyfilepassword).getBytes();
securityAdmin = AdminControl.queryNames('*:*,name=SecurityAdmin');
securityObjectName = jmgmt.ObjectName(securityAdmin);
params = [wasdev61keys, password];
signature = ['java.util.Properties', '[B'];
AdminControl.invoke_jmx(securityObjectName, 'importLTPAKeys', params, signature);

# Save Config at the end.
AdminConfig.save();

How to configure a Shared Library in WebSphere with Jython

Here's a script that I used to configure a Shared Library in WebSphere 6.1 using Jython.

from string import whitespace

sharedLibName = "APPLICATION_SHARED_LIB"

# See if library already exists.
cellId = AdminConfig.list("Cell")
sharedLibraryId = AdminConfig.list("Library")
if (sharedLibraryId.find(sharedLibName) < 0): # Library does not exist.
	print "Creating Shared Library"
	params = [];
	params.append(["name", sharedLibName]);
	sharedLibraryId = AdminConfig.create("Library", cellId, params);

	# Find PARENT_LAST class loader
	print "Finding Class Loader"
	parentLastClassLoader = None;
	classLoaders = AdminConfig.list("Classloader")
	classLoaders = classLoaders.split();
	for classLoader in classLoaders:
		mode = AdminConfig.showAttribute(classLoader, "mode");
		if (mode == "PARENT_LAST"):
			parentLastClassLoader = classLoader;
			print "Found Parent Last Class Loader: " + classLoader;
	# Create a class loader
	if (parentLastClassLoader == None):
		print "Creating Class Loader";
		applicationServer = AdminConfig.list("ApplicationServer")
		params = [];
		params.append(["mode", "PARENT_LAST"]);
		parentLastClassLoader = AdminConfig.create("Classloader", applicationServer, params)
		print "Created Parent Last Class Loader: " + parentLastClassLoader;

	# Add the shared library to the class loader.
	params = [];
	params.append(["libraryName", sharedLibName]);
	params.append(["sharedClassloader", "true"]);
	AdminConfig.create("LibraryRef", parentLastClassLoader, params)

	print "Using Shared Library: " + sharedLibraryId;

	# Set a WAS variable to point to SharedLib
	print "Update the Variable Map"
	variableMap = AdminConfig.list("VariableMap").split();
	# Find the variable map for the server.
	for v in variableMap:
		if (v.find("/server") >= 0):
			variableMap = v
	print "Updating Variable Map: " + variableMap
	params = [];
	params.append(["symbolicName", "APP_SHARED_LIB_PATH"]);
	params.append(["value", "${APP_PROJECTS_ROOT}/SharedLib/MyApp"]);
	params.append(["description", "Root folder containing shared libs"]);
	AdminConfig.create("VariableSubstitutionEntry", variableMap, params);

	# Add all of our shared libs to Shared Library
	print "Adding Classpath";
	classpath = []
	classpath.append("${APP_SHARED_LIB_PATH}/activation.jar")
	classpath.append("${APP_SHARED_LIB_PATH}/commons-lang-2.1.jar")
	classpath.append("${APP_SHARED_LIB_PATH}/commons-logging.jar")
	classpath.append("${APP_SHARED_LIB_PATH}/dom4j-1.6.1.jar")
	classpath.append("${APP_SHARED_LIB_PATH}/smtp.jar")
	classpathStr = ""
	for c in classpath:
		if len(classpathStr) > 0:
			classpathStr += ";";
		classpathStr += c;
	params = [];
	params.append(["classPath", classpathStr]);
	AdminConfig.modify(sharedLibraryId, params);

# Save Config at the end.
AdminConfig.save();

How to configure WebSphere Global Security to use LDAP with Jython

Here's a script that I used to configure the WebSphere 6.1 global security setting to use LDAP using Jython.

# Properties
username = "user"
password = "pass"
ldapServer = "somecompany.com"
ldapPort = "389"

# Configure the LDAP authentication
AdminConfig.save(); # This needs to happen so you can write to the Security file.
ltpa = AdminConfig.list("LTPA");
ldapUserRegistry = AdminConfig.list("LDAPUserRegistry");
params = [];
params.append(["primaryAdminId", username]);
params.append(["useRegistryServerId", "false"]);
params.append(["type", "ACTIVE_DIRECTORY"]);
params.append(["realm", ldapServer + ":" + ldapPort]);
params.append(["baseDN", "DC=somecompany,DC=com"]);
params.append(["bindDN", "CN=" + username + ",OU=Service Accounts,DC=somecompany,DC=com"]);
params.append(["bindPassword", password]);
AdminConfig.modify(ldapUserRegistry, params);
# Configure the LDAP Advanced Settings
ldapSearchFilter = AdminConfig.list("LDAPSearchFilter");
params = [];
params.append(["userFilter", "(&(sAMAccountName=%v)(objectcategory=user))"]);
params.append(["groupFilter", "(&(cn=%v)(objectcategory=group))"]);
params.append(["userIdMap", "user:sAMAccountName"]);
params.append(["groupIdMap", "*:cn"]);
params.append(["groupMemberIdMap", "memberof:member"]);
params.append(["certificateMapMode", "EXACT_DN"]);
params.append(["certificateFilter", ""]);
AdminConfig.modify(ldapSearchFilter, params);
# Configure the LDAP endpoint.
endpointStr = AdminConfig.showAttribute(ldapUserRegistry, "hosts");
endpointStr = endpointStr[1:len(endpointStr)-1];
endpoint = endpointStr.split(' ')[0];
print endpoint
params = [];
params.append(["host", ldapServer]);
params.append(["port", ldapPort]);
AdminConfig.modify(endpoint, params);

# Configure Global Security
security = AdminConfig.list("Security") # ex. (cells/CompNode10Cell|security.xml#Security_1)
params = [];
params.append(["enabled", "true"]);
params.append(["appEnabled", "true"]);
params.append(["enforceJava2Security", "false"]);
params.append(["activeUserRegistry", ldapUserRegistry]);
params.append(["activeAuthMechanism", ltpa]);
AdminConfig.modify(security, params);

# Save Config at the end.
AdminConfig.save();