Configure Tivoli Access Manager to perform authorization

 


+ Search Tips   |   Advanced Search

You can configure Tivoli Access Manager to perform authorization independently from configuring Tivoli Access Manager to perform authentication. However, if you use Tivoli Access Manager to perform authorization for the portal, also also use Tivoli Access Manager to perform authentication for the portal. Using Tivoli Access Manager to perform only authorization is not supported.

There are additional considerations when you are setting up security to use an external security manager in a WebSphere Portal cluster environment and across mixed nodes. For instance, perform any configuration for an external security manager after you have completed all other setup tasks, including ensuring that the WebSphere Portal cluster is functional. Read the details about using an external security manager in a cluster here.

After you complete the following authorization procedure, the Tivoli Access Manager protected object space contains entries for portal roles in the following format:

<wp_root>/<role>/<application>/<server>/<cell>

...where <wp_root>, <application>, <server>, and <cell> are configurable values in the ExternalAccessControlService.properties file on the WebSphere Portal machine, and <role> is a WebSphere Portal role that determines access control.

For example: /<wp_root>/Administrator@VIRTUAL_EXTERNAL_ACCESS_CONTROL/app/server/cell

Notes:

  • After a role is externalized, use Tivoli Access Manager to add and remove users and groups to the Access Control List (ACL) for the role.

  • Use Tivoli Access Manager to provide access control for all public portal resources, or for a subset of public portal resources, depending on the needs of your environment. Access control for private pages cannot be externalized.

  • This example assumes that IBM HTTP Server is the Web server.

  • pdadmin is a command line utility that supports Tivoli Access Manager administrative functions.

  1. Ensure that the Tivoli Access Manager AMJRTE component on the WebSphere Portal machine is at the V 5.1 fix pack 2 level. This version of the AMJRTE component is automatically installed with WebSphere Application Server V5.1.1.

  2. Follow the instructions in Configure Tivoli Access Manager to perform authentication for WebSphere Portal.

  3. The Tivoli Access Manager configuration tool secures the LDAP namespace by modifying the LDAP Access Control List of all suffixes that are defined. This may include the suffixes that are used by WebSphere Portal to store users and groups.

    To avoid problems when WebSphere Portal searches for users, use the WebSphere Application Server Administrative Console to verify a Bind DN and Bind DN password exist. This Bind DN and password must have sufficient access rights within the directory (at least under the subtree that is specified by the BaseDN) to do searches in both the user and group subtrees within the directory.

    When the directory is secured, WebSphere Application Server must have an identity that can read from the directory. WebSphere Application Server can use an identity that is already set up with the necessary read permission in the ACL or the directory, or you can add a new identity for WebSphere Application Server to the ACL for the directory. Setting up new identities in the ACL for the directory is a directory-specific task. Consult the directory documentation for specific instructions.

  4. Locate the <wp_root>/config/wpconfig.properties file.

  5. Create a backup copy of this file.

  6. Verify connectivity to Tivoli Access Manager by running the validate-pdadmin-connection configuration task.

    1. Use a text editor to open the <wp_root>/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section of the file.

      Note the following:

      • Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference for a complete properties reference, including default values.

      • Use / instead of \ for all platforms.

      • Some values, shown in italics below, might need to be modified to your specific environment.

      Input Description
      PDAdminId The user ID for the administrative TAM user.
      PDAdminPw The password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.

    2. Save the file.

    3. Open a command prompt and change to directory $WAS_HOME/bin.

    4. Enter the following commands:

      1. startServer server1

      2. stopServer WebSphere_Portal -user <was_admin_userID> -password <was_admin_password>

    5. Change to the directory <wp_root>/config.

    6. Enter the following command to run the appropriate configuration task for your specific operating system:

      If the configuration task fails, validate the values in the wpconfig.properties file.

  7. If the validate-pdadmin-connection task succeeds, skip to step 8. If the validate-pdadmin-connection task fails, do the following:

    1. Use a text editor to open the <wp_root>/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section of the file. Do not change any settings other than those specified in these steps.

      Input Description
      PDServerName Unique application name used to create a new Tivoli server in the Access Manager Policy Server.

      If a server with the same name appears in the server list command, the SvrSslCfg command will fail.

      PDAdminId The user ID for the administrative TAM user.
      PDAdminPw The password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.
      SvrSslCfgPort Configuration port for the application name.
      SvrSslCfgMode Configuration mode of the SvrSslCfg command.
      TamHost Defines the TAM Policy Server used when running PDJrteCfg.
      PDPolicyServerList Defines a hostname, port, and priority combinations for your TAM Policy servers used when running SvrSslCfg.
      PDAuthzServerList Defines a hostname, port, and priority combination for your TAM authorization servers.
      PDKeyPath Stores encryption keys used for the SSL communication between AMJRTE and

      Tivoli Access Manager.

    2. Save the file.

    3. Open a command prompt and change to directory $WAS_HOME/bin.

    4. Enter the following commands:

      1. startServer server1

      2. stopServer WebSphere_Portal -user <was_admin_userID> -password <was_admin_password>

    5. Change to the directory <wp_root>/config.

    6. Enter the following command to run the appropriate configuration task for your specific operating system:

      If the configuration task fails, validate the values in the wpconfig.properties file.

  8. Use the WebSphere Application Server encoding mechanism to mask the passwords in the <wp_root>/shared/app/config/services/ExternalAccessControlService.properties file:

    1. Save the <wp_root>/shared/app/config/services/ExternalAccessControlService.properties file.

    2. Make a backup copy of the file. This backup copy, which has all values except the password configured, will be used as the basis for any future password changes as described in step g.

    3. Enter the password in the clear into the live version of the file (not the backup copy).

    4. Save the live version of the file.

    5. Use the WebSphere Application Server encoding mechanism to mask the passwords in the live version of the file. The following command masks the sensitive fields and removes all comments from the file. The original version of the file with the password in the clear and all comments intact is preserved with a bak extension. Enter the appropriate command:

      • Windows: $WAS_HOME\bin\PropFilePasswordEncoder.bat <filename> <property_name>

      • UNIX: $WAS_HOME/bin/PropFilePasswordEncoder.sh <filename> <property_name>

      For example, on Windows, enter the following command on a single line: 

      c> c:\Program Files\WebSphere\AppServer\bin\PropFilePasswordEncoder.bat
c:\Program Files\WebSphere\PortalServer\shared\app\config\services\ExternalAccessControlService.properties.pdpw

    6. The next time change the password, do the following steps:

      1. Copy the backup version of the file over the live version, which will have no comments and an encoded password.

      2. Edit this new live file as needed and enter the new password in the clear.

      3. Save the file.

      4. Run the WebSphere Application Server encoding mechanism on the file. The backup copy still exists with no password but with the comments preserved.

    7. For security reasons, either remove the password from the file with the bak extension that was created in step F, or delete the file. Alternatively, you can specify the password on the command line using the following syntax:

      WPSconfig.{sh|bat} task_name -Dpassword_property_key=password_value

      As with other properties, each password property must have the -D prefix and be set equal to (=) a value. If you have multiple properties in a single command, use a space character between each -Dproperty=value setting.

  9. Make backup copies of the following files:

  10. Run the enable-tam-authorization configuration task to set up Tivoli Access Manager to perform authorization for the portal. Remember that if you do this, also use Tivoli Access Manager to perform authentication for the portal.

    1. Use a text editor to open the wp_root/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section of the file. Do not change any settings other than those specified in these steps.

      Input Description
      PDAdminId The user ID for the administrative TAM user.
      PDAdminPw The password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.
      PDRoot Root objectspace entry in the TAM namespace. All Portal roles will be installed under this objectspace entry.
      PDAction When the Tivoli Access Manager external authorization plugin is started, it will detect and, if necessary, create a custom action in Tivoli Access Manager. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized Portal roles.
      PDActionGroup When the Tivoli Access Manager external authorization plugin is started, it will detect and, if necessary, create a custom action group in Tivoli Access Manager. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized Portal roles.
      PDCreateAcl When Portal externalizes a role, it can automatically create and attach a TAM ACL granting membership to the user doing the role. If you set this property to false, the TAM administrator will be responsible for creating TAM ACLs to allow access to Portal roles.

    2. Save the file.

    3. Open a command prompt and change to directory was_root/bin.

    4. Enter the following commands:

      1. startServer server1

      2. stopServer WebSphere_Portal -user was_admin_userID -password was_admin_password

    5. Change to the directory wp_root/config.

    6. Enter the following command to run the appropriate configuration task for your specific operating system:

      If the configuration task fails, validate the values in the wpconfig.properties file.

  11. Restart WebSphere Portal.

    When WebSphere Portal starts, TAMExternalAccessControlServices creates the necessary topology in Tivoli Access Manager to begin externalizing roles and also creates the Administrator@EXTERNAL ACCESS CONTROL role. Depending on your configuration setting for externalaccesscontrol.createAcl, it also adds the <wpsadmin> user to the ACL that is attached to this role.

  12. By default, externalized roles appear in the external security manager as Role Type@Resource Type/Name/Object ID. For example, Administrator@PORTLET_APPLICATION/Welcome/1_1_1G.

    You can change this format to Resource Type/Name/Object ID@Role type. This format change groups the roles by resource name instead of by role type. For example, PORTLET_APPLICATION/Welcome/1_0_1G@Administrator. This format change is visible only when the roles are externalized. This change does not affect the way roles are displayed in WebSphere Portal.

    The Administrator@VIRTUAL/wps.EXTERNAL ACCESS CONTROL/1 role is never affected by this format change. This role always appears with the role type "Administrator" on the left.

    Follow these steps to change the format for externalized roles:

    1. On the WebSphere Portal machine, find the <wp_root>/shared/app/config/services/AccessControlDataManagementService.properties file and make a backup copy.

    2. Edit and change the value of the accessControlDataManagement.reorderRoleNames property to true. (If this property does not exist in the file, add it.)

    To change the display format for roles that were initially externalized in the default format, follow these steps:

    1. Internalize the roles.

    2. Set the reorderRoleNames property to true as previously explained.

    3. Externalize the roles.

    Example of roles list with reorderRoleNames=false: 

    Administrator@WEB_MODULE/Tracing.war/1_0_3K
        Administrator@PORTLET_APPLICATION/Welcome/1_0_1G
        User@WEB_MODULE/Tracing.war/1_0_3K
        Priviledged User@WEB_MODULE/Tracing.war/1_0_3K
        Priviledged User@PORTLET_APPLICATION/Welcome/1_0_1G

    Example of roles list with reorderRoleNames=true 

    PORTLET_APPLICATION/Welcome/1_0_1G@Administrator
        PORTLET_APPLICATION/Welcome/1_0_1G@Priviledged User
        WEB_MODULE/Tracing.war/1_0_3K@Administrator
        WEB_MODULE/Tracing.war/1_0_3K@Priviledged User
        WEB_MODULE/Tracing.war/1_0_3K@User

 

Verify that Tivoli Access Manager is working properly

  1. Verify that the topology is as described in the protected object space before proceeding.

  2. Ensure that at least one user, usually the portal administrator, has the Administrator@VIRTUAL/EXTERNAL ACCESS CONTROL_1 role.

    1. To verify that the portal administrator and the portal administrator group have this role, view the ACL for the namespace entry representing the Administrator@VIRTUAL/EXTERNAL ACCESS CONTROL_1 role be entering the following command on the pdadmin command line: 
      pdadmin> acl show WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1

    2. If there is no entry for the portal administrator, enter the following command to add the portal administrator to the Administrator@VIRTUAL/EXTERNAL_ACCESS_CONTROL_1 ACL: 
      pdadmin> acl modify WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1 set user <wpsadmin> T[WPS]m
pdadmin> acl modify WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1 set group <wpsadmins> T[WPS]m

      where <wpsadmin> is the portal administrator user ID and <wpsadmins> is the portal administrator group.

  3. Proceed to the Resource Permissions portlet on the WebSphere Portal machine.

    1. Select a resource.

    2. Click the Assign Access icon.

    3. Click the Edit Role icon for a role that you want to externalize.

    4. Click Add to explicitly assign at least one user or group to the Administrator role for the resource.

    5. Optional: Explicitly assign additional roles. If you do not assign at least one user or group to each role type for the resource, use the external security manager interface to create this role type later. For example, if you do no not do not assign any users or groups to the Editor role type for the resource, then use the external security manager interface to create the Editor role type later.

    6. Click Done when you are finished, then click OK to return to the page that displays the resource.

    7. Click the Externalize icon for the resource. This moves every role that is defined for this resource in steps D and E to the Tivoli Access Manager protected object space. One ACL is created for each externalized role.

  4. Add users to the ACLs that are attached to the role types on that resource by using either the Tivoli Access Manager GUI or the pdadmin command line.

If you log on to WebSphere Portal for administration purposes and you intend to externalize resources to Tivoli Access Manager, remember the following:

  • be a member of the wpsadmins group

  • The wpsadmins group must appear in the VIRTUAL/EXTERNAL_ACCESS_CONTROL_1 ACL

 

See also

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

 

Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.