Configure Tivoli Access Manager for authentication, authorization, and the Credential Vault

 

+
Search Tips   |   Advanced Search

 


You can configure authentication, authorization and the vault adapter all at once by following these steps:

  1. Locate the...

    wp_root/config/wpconfig.properties

    ...file on the WebSphere Portal machine and create a backup copy before changing any values.

  2. Verify connectivity to Tivoli Access Manager by running the validate-pdadmin-connection configuration task.

    The validate-pdadmin-connection task verifies that the TAM AMJRTE SvrSslCfg command has run and that WebSphere Portal has the necessary configuration parameters to communicate with TAM.

    If the SvrSslCfg command has not run, see step 3 to run the run-svrssl-config task.

    1. Use a text editor to open the wp_root/config/wpconfig.properties file and edit the following values in the Advanced Security Configuration section of the file:

      Note the following:

      • Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference for a complete properties reference, including default values.

      • Use / instead of \ for all platforms.

      • Some values, shown in italics below, might need to be modified to your specific environment.

      Input Description
      PDAdminId The user ID for the administrative TAM user.
      PDAdminPw The password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.

    2. Save the file.

    3. Open a command prompt and change to directory was_root/bin.

    4. Enter the following commands:

      1. startServer server1

      2. stopServer WebSphere_Portal -user was_admin_userID -password was_admin_password

    5. Change to the directory wp_root/config.

    6. Enter the following command to run the appropriate configuration task for your specific operating system:

      If the configuration task fails, validate the values in the wpconfig.properties file.

  3. If the validate-pdadmin-connection task succeeds, skip to step 4. If the validate-pdadmin-connection task fails, do the following:

    1. Use a text editor to open the wp_root/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section of the file. Do not change any settings other than those specified in these steps.

      Input Description
      PDAdminId The user ID for the administrative TAM user.
      PDAdminPw The password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.
      PDServerName Unique application name used to create a new Tivoli server in the Access Manager Policy Server.

      If a server with the same name appears in the server list command, the SvrSslCfg command will fail.

      SvrSslCfgPort Configuration port for the application name.
      SvrSslCfgMode Configuration mode of the SvrSslCfg command.
      TamHost Defines the TAM Policy Server used when running PDJrteCfg.
      PDPolicyServerList Defines a hostname, port, and priority combinations for your TAM Policy servers used when running SvrSslCfg.
      PDAuthzServerList Defines a hostname, port, and priority combination for your TAM authorization servers.
      PDKeyPath Stores encryption keys used for the SSL communication between AMJRTE and

      Tivoli Access Manager.

    2. Save the file.

    3. Open a command prompt and change to directory was_root/bin.

    4. Enter the following commands:

      1. startServer server1

      2. stopServer WebSphere_Portal -user was_admin_userID -password was_admin_password

    5. Change to the directory wp_root/config.

    6. Enter the following command to run the appropriate configuration task for your specific operating system:

      If the configuration task fails, validate the values in the wpconfig.properties file.

    7. Re-run the validate-pdadmin-connection task after the run-svrssl-config task completes successfully.

  4. Make backup copies of the following files (where wp_root is the installation directory for WebSphere Portal):

  5. Enable the TAI, authorization, and set up the Credential Vault adapter.

    1. Use a text editor to open the wp_root/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section of the file:

      Input Description
      EACserverName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the Tivoli Access Manager namespace.

      If set, EACcellName and EACappname must also be set.

      EACcellName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the Tivoli Access Manager namespace.

      If set, EACserverName and EACappname must also be set.

      EACappName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the Tivoli Access Manager namespace.

      If set, EACcellName and EACservername must also be set.

      reorderRoles This field will allow you to either have your externalized Portal rolenames displayed with the resource type first, or the role types first.
      PDAdminId The user ID for the administrative TAM user.
      PDAdminPw The password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.
      TamHost Defines the TAM Policy Server used when running PDJrteCfg.
      JunctionType The type of junction to be created in TAM. Accepted values are tcp and ssl.
      JunctionPoint The WebSEAL junction point to the WebSphere Portal instance.
      WebSealInstance Specifies the WebSEAL instance used to create the junction.
      TAICreds The headers inserted by WebSEAL that the TAI uses to identify the request as originating from WebSEAL.
      WebSealHost Optional parameter that sets the WebSEAL TAI's hostnames parameter.
      WebSealPort Optional parameter that sets the WebSEAL TAI's ports parameter.
      WebSealUser (for tcp junctions) The reverse proxy identity used when you create a TCP junction.
      BaUserName (for ssl junctions) The reverse proxy identity used when you create an SSL junction.
      BaPassword (for ssl junctions) When you create an SSL junction, you can provide a password to the identity representing the reverse proxy on every request.
      PDRoot Root objectspace entry in the TAM namespace.
      PDAction Custom Action created by the Tivoli Access Manager external authorization plugin. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized Portal roles.
      PDActionGroup Custom Action group created by the Tivoli Access Manager external authorization plugin. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized Portal roles.
      PDCreateAcl Set to determine whether the portal can automatically create and attach a TAM ACL when Portal externalizes a role.
      vaultType New vault type identifier representing the Tivoli GSO lockbox vault.
      vaultProperties Defines a properties file to be used to configure the vault with TAM specific user and SSL connection information.
      manageResources Determines if the portal credential vault or any custom portlet is allowed to create new resource objects in TAM.
      readOnly Determines if the portal credential vault or any custom portlet is allowed to modify the secrets stored in TAM.
      WpsHostName (set to fully qualified hostname) The fully-qualified URL to WebSphere Portal.
      WpsHostPort The port number used to access the host machine identified by the WpsHostName property.

    2. Save the file.

    3. Open a command prompt and change to directory was_root/bin.

    4. Enter the following commands:

      1. startServer server1

      2. stopServer WebSphere_Portal -user was_admin_userID -password was_admin_password

    5. Change to the directory wp_root/config.

    6. Enter the following command to run the appropriate configuration task for your specific operating system. This configuration task automatically creates and populates a file named wp_root/shared/app/config/accessmanagervault.properties:

        Windows: WPSconfig.bat enable-tam-all -DPdBaPassword=password -DPdAdminPw=password

      If the configuration task fails, validate the values in the wpconfig.properties file.

  6. Only perform this step if you want to enable automatic user provisioning to Tivoli Access Manager. There are two ways to create users in WebSphere Portal:

    • Self-registration: This feature is enabled by default.

    • Manage Users and Groups portlet: Administrators can use this portlet to create WebSphere Portal users.

    When users are created in WebSphere Portal, they are not automatically imported into Tivoli Access Manager. Enabling automatic user provisioning to Tivoli Access Manager changes this behavior. Once this feature is enabled, users are automatically imported into Tivoli Access Manager whenever they are created in WebSphere Portal. When user provisioning to Tivoli Access Manager, anyone with access to the public portal URL can become an active user in Tivoli Access Manager as long as the portal's self-registration feature remains enabled.

    Follow these steps to enable user provisioning to Tivoli Access Manager:

    1. Open a command prompt and change to directory was_root/bin.

    2. Enter the following commands:

      1. startServer server1

      2. Check the status of the WebSphere Portal being started by entering this command all on one line:

        serverStatus WebSphere_Portal -user was_admin_userID -password was_admin_password

      3. If not started, start the WebSphere Portal server with the following command for your operating system:

          startServer.bat WebSphere_Portal -user was_admin_userID -password was_admin_password

    3. Change to the directory wp_root/config.

    4. Enter the following command to run the appropriate configuration task for your specific operating system:

  7. Use the steps in the links provided below to verify that the enable-tam_all task was successfully completed:

 

See also

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

 

Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.