Question & Answer
Question
Which versions of ISAM's (TAM's) PD.jar are compatible with various versions of WebSphere Application Server ( WAS )?
Cause
IBM WebSphere Application Server upgrade causes an incorrect version of PD.jar to be installed.
Answer
IBM WebSphere® Application Server (WAS) includes the IBM Security Access Manager ( ISAM ) PD.jar file in its distribution.
This can be problematic or confusing when the Policy Server is at a different version.
This can be problematic or confusing when the Policy Server is at a different version.
Note! This technote only applies to ISAM and WAS. "WebSphere Liberty" aka "WAS Liberty" is a different product which does not include ISAM jars.
Note! The recent fixpack versions of the WAS no longer distribute updated PD.jar. Traditional WebSphere will ship with ISAM jars but WAS will not provide APAR fixes nor update the jars through WAS fixpack. Details are explained in the technote "Distribution of IBM Security Access Manager jars within WebSphere Application Server".
In general there is quite a bit of flexibility in using various PD.jar files with WebSphere. The main issue is which version of the PD.jar will work with which versions of ISAM's (TAM's) Policy Server and Authorization Server.
Other considerations include WPM, JACC and WebSphere 8. WAS 8 introduced some changes which required changes to the PD.jar. Therefore it is more restricted to certain versions of the PD.jar.
WAS 8 requires a TAM PD.jar level of 6.1.0.7 or 6.1.1.3 as a minimum. JACC is also included in WAS and depends on the PD.jar. WPM is not included with WAS but also depends on the PD.jar.
In general it is recommended that the PD.jar be at the same level as the ISAM (TAM) server. Since this is not always possible the following tables will help serve as a guideline in determining which version to use .
It is recommended that the PD.jar file included with WebSphere be used to configure WebSphere. After the PD.jar is configured, it can be replaced with a newer version using the file copy. The biggest issue with this is that WAS patches replace the jar file with the latest which they have which means customers must replace it again with their own.
The main dependency is with the ISAM (TAM) server and the type of operations you are doing.
If you are just authenticating i.e. TAI, then you can use just about any version.
If you are running administrative operations then it is best to stay within N-1
If you are using local mode applications i.e. JACC, then the release level of the PD.jar file MUST match the release level of the ISAM (TAM) server.
The following chart shows key WAS releases and the versions of the PD.jar included.
| WebSphere Application Server ND | ISAM / Tivoli Access Manager PD.jar |
|---|---|
| 7.0 Fix pack 29 | 6.1.0.7 |
| 8.0 | 6.1.0.5 |
| 8.0 Fix Pack 01 | 6.1.0.7 |
| 8.5 | 6.1.0.7 |
| 8.5.5 | 6.1.0.7 |
| 8.5.5.2 | 6.1.0.9 |
| 9.0 | 6.1.0.9 |
The following chart shows key WAS releases and the ISAM (TAM) server versions supported.
Product Versions that PD.jar functions against.
| PD.jar | WebSphere Application Server ND Version | ISAM/TAM Policy Server | TAM Local Mode DB |
| 6.1.0.5 | 6.1 / 7.x | 6.1 / 6.1.1 | 6.1 / 6.1.1 |
| 6.1.0.7 | 7.x / 8.x | 6.1 / 6.1.1 / 7.0 | 6.1 / 6.1.1 |
| 7.0 | 7.x / 8.x | 6.1.1 / 7.0 | 7.0 |
| 7.0.0.12 | 7.x / 8.x | 6.1.1.13 / 7.0.0.12 | 7.0.0.12 |
| 8.0 | 7.x / 8.x | 7.0 / 8.0 | 8.0 |
| 8.0.1.0 | 7.x / 8.x | 6.1.1.13 / 7.0.0.12 / 8.0.1.0 | 8.0.1.0 |
| 8.0.1.5 | 8.x / 9.x | 6.1.1.13 / 7.0.0.12 / 8.0.1.0 | 8.0.1.5 |
| 9.0 | 8.x / 9.x | 6.1.1.13 / 7.0.0.12 / 8.0.1.0 / 9.0 | 9.0 |
Note: In a case when the Access Manager fix pack ( 6.1.0.16, 6.1.1.13, 7.0.0.12, 8.0.1.0 or higher ) containing correction for the POODLE issue has been applied to the Policy Server, then prior versions of the PD.jar cannot be used to configure the Access Manager runtime for Java. If the older version of the PD.jar without the POODLE fix must be used on the WAS then the SSLv3 connection must be allowed in the Policy Server configuration. When a fix pack or an update is applied to the WebSphere Application Server it is recommended to verify that a fix pack / update includes POODLE compatible version of the PD.jar or after applying a fix pack / update use file copy to replace incompatible PD.jar.
Background information:
The PD.jar file allows java runtimes to deploy a set of classes to an appropriate resource.
The PD.jar file has a manifest file located in the path of the META-INF/MANIFEST.MF
The MANIFEST.MF can be extracted by any standard zip software including "jar" for Windows.
On Unix/Linux the PD.jar version can be viewed by using the zcat command as below:-
For this document I am going to use the zcat command ( from Unix/linux) and available from cygwin for Windows,, i.e zcat PD.jar
To continue this example the above PD.jar was available but after an upgrade of WAS you can see that an older version of PD.jar was inserted.
Note: The PD.jar can not be downloaded independent of a patch.
All of the above PD.jar files need to be upgraded to the latest version of TAM PD.jar to obtain the latest resolved issues:
The patches containing the PD.jar file can be downloaded from IBM's Fix Central:
Find IBM Security Access Manager fixes
[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Embedded WAS (JACC)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1;6.1.1;7.0;8.0;9.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Product Synonym
IBM Security Verify Access;ISVA;Tivoli Access Manager;TAM;Traditional WebSphere;WAS Traditional
Was this topic helpful?
Document Information
Modified date:
17 June 2020
UID
swg21646372