Configure global signon principal mapping

 

+

Search Tips   |   Advanced Search

 

 

Overview

To create a new application login that uses the Tivoli Access Manager GSO database to store the login credentials:

 

Procedure

  1. Select...

    Security | Global security | Authentication | JAAS Configuration | Application logins | New

  2. Enter the alias name of the new application login and click Apply.

  3. Under Additional properties, click...

    JAAS Login Modules | New

    ...to define the JAAS Login Modules.

  4. Enter the following...

    Module class name: com.tivoli.pd.as.gso.AMPrincipalMapper
    Use Login Module Proxy: enable
    Authentication strategy: REQUIRED

  5. Click Apply

  6. In the Additional Properties section, click Custom Properties to define Login Module-specific values which are passed directly to the underlying Login Modules.

  7. Click New.

    The Tivoli Access Manager principal mapping module uses the configuration string, authDataAlias, to retrieve the correct user name and password from the security configuration.

    The authDataAlias passed to the module is configured for the J2C ConnectionFactory. Since the authDataAlias is an arbitrary string entered at configuration time, the following scenarios are possible:

    • The authDataAlias contains both the GSO Resource name and the user name. The format of this string is "Resource/User"

    • The authDataAlias contains only the GSO Resource name. The user name is determined using the Subject of the current session.

    Which scenario to use is determined by a JAAS configuration option. The details of these options are:

    Name: com.tivoli.pd.as.gso.AliasContainsUserName

    Value: True if the alias contains the user name, false if the user name should be retrieved from the security context.

    When entering authDataAliases through the WAS console, the node name is automatically pre-pended to the alias. The JAAS configuration entry is to determine whether this node name should be removed or included as part of the resource name.

    Name: com.tivoli.pd.as.gso.AliasContainsNodeName

    Value: True if the alias contains the node name.

    Enter each new parameter using the following scenario information as a guide.

    Note: If the PdPerm.properties configuration file is not located in the default location, JAVA_HOME/PdPerm.properties, then you will also need to add the following property:

    Name = com.tivoli.pd.as.gso.AMCfgURL
    Value = file:///path to PdPerm.properties

    Scenario 1
    Auth Data Alias - BackendEIS/eisUser
    Resource - BackEndEIS
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 2
    Auth Data Alias - BackendEIS
    Resource - BackEndEIS
    User - Currently authenticated WAS user
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 3
    Auth Data Alias - nodename/BackendEIS/eisUser
    Resource - BackEndEIS
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 4
    Auth Data Alias - nodename/BackendEIS/eisUser
    Resource - nodename/BackEndEIS (notice that node name was not removed)
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 5
    Auth Data Alias - BackendEIS/eisUser
    Resource - BackEndEIS
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 6
    Auth Data Alias - nodename/BackendEIS/eisUser
    Resource - nodename/BackendEIS/eisUser (notice that the Resource is the same as Auth Data Alias).
    User - Currently authenticated WAS user
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    You now need to create the J2C authentication aliases. The user name and password assigned to these alias entries is irrelevant as Tivoli Access Manager is responsible for providing user names and passwords. However, the user name and password assigned to the J2C authentication aliases need to exist so they can be selected for the J2C connection factory in the console.

    To create the J2C authentication aliases, from the WebSphere Application Server administrative console, click Security >Global security. Under JAAS Configuration > J2C Authentication Data and click New for each entry. Refer to the table above for scenario inputs.

    The connection factories for each resource adapter that needs to use the GSO database must be configured to use the Tivoli Access Manager Principal Mapping module. To do this:

    1. From the WAS console, select Applications > Enterprise Applications > appname.

    2. Under Related items, click Connector Modules.

    3. Click the .rar link.

    4. Under Additional properties, click Resource Adapter .

      Note: The resource adapter does not need to be packaged with the application. It can be standalone. For such a scenario the resource adapter is configured from Resources > Resource Adapters.

    5. Under Additional properties, click the J2C Connection Factories link.

    6. Click New and enter the connection factory properties.

    Note: Configuring custom mapping on connection factory is deprecated in WAS V6. To configure the GSO credential mapping, it is recommended that you use the Map Resource References to Resources panel on the administrative console. For more information, refer to J2EE Connector security.


 

See Also


Global signon principal mapping

 



 

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.
Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.