Configuring the JACC provider for Tivoli Access Manager using the administrative console

Use this task to configure Tivoli Access Manager as the Java Authorization Contract for Containers (JACC) provider using the administrative console.


Before you begin

Before configuring Tivoli Access Manager as the JACC provider, verify that all of the managed servers, including node agents, are started

Prior to completing the following steps, verify that you have previously created a security administrative user. For more information, see Creating the security administrative user .


About this task

The following configuration is performed on the management server. When you click either Apply or OK, configuration information is checked for consistency, saved, and applied if successful.

This configuration information is propagated to the nodes when synchronization is performed. Restart the nodes for the configuration changes to take effect.

To configure Tivoli Access Manager as the JACC provider using the administrative console, complete the following steps:



  1. Start the WAS administrative console by clicking http://yourhost.domain:port_number/ibm/console after starting WebSphere Application Server. If security is currently disabled, log in with any user ID. If security is currently enabled, log in with a predefined administrative ID and password. This ID is typically the server user ID that is specified when you configure the user registry.
  2. Click Security > Global security.
  3. Under Authorization, click Authorization Providers.
  4. Under General properties, select External authorization using a JACC provider.
  5. Under Related items, click External JACC provider.
  6. Under Additional properties, click Tivoli Access Manager Properties. The Tivoli Access Manager JACC provider configuration screen is displayed.
  7. Enter the following information:
    Enable embedded Tivoli Access Manager
    Select this option to enable Tivoli Access Manager.
    Ignore errors during embedded Tivoli Access Manager disablement
    Select this option when you want to unconfigure the JACC provider. Do not select this option during configuration.
    Client listening port set
    WebSphere Application Server must listen using a TCP/IP port for authorization database updates from the policy server. More than one process can run on a particular node or machine. More than one authorization server can be specified by separating the entries with commas. Specifying more than one authorization server at a time is useful for reasons of failover and performance. Enter the listening ports used by Tivoli Access Manager clients, separated by a comma. If a range of ports is specified, separate the lower and higher values by a colon (:) (for example, 7999, 9990:999).
    Policy server
    Enter the name of the Tivoli Access Manager policy server and the connection port. Use the policy_server:port form. The policy communication port is set at the time of the Tivoli Access Manager configuration, and the default is 7135.
    Authorization servers
    Enter the name of the Tivoli Access Manager authorization server. Use the auth_server:port:priority form. The authorization server communication port is set at the time of the Tivoli Access Manager configuration, and the default is 7136. The priority value is determined by the order of the authorization server use (for example, auth_server1:7136:1 and auth_server2:7137:2). A priority value of 1 is required when configuring against a single authorization server.
    Administrator user name
    Enter the Tivoli Access Manager administrator user name that was created when Tivoli Access Manager was configured; it is usually sec_master.
    Administrator user password
    Enter the Tivoli Access Manager administrator password.
    User registry distinguished name suffix
    Enter the distinguished name suffix for the user registry that is shared between Tivoli Access Manager and WebSphere Application Server, for example, o=ibm, c=us.
    Security domain
    You can create more than one security domain in Tivoli Access Manager, each with its own administrative user. Users, groups and other objects are created within a specific domain, and are not permitted to access resource in another domain. Enter the name of the Tivoli Access Manager security domain that is used to store WAS users and groups.

    If a security domain is not established at the time of the Tivoli Access Manager configuration, leave the value as Default.

    Administrator user distinguished name
    Enter the full distinguished name of the WebSphere Application Server security administrator ID (for example, cn=wasdmin, o=organization, c=country). The ID name must match the Server user ID on the Lightweight Directory Access Protocol (LDAP) User Registry panel in the administrative console. To access the LDAP User Registry panel, click Security > Secure administration, applications, and infrastructure. Under User account repository, choose Standalone LDAP registry as the available realm definition. Then click Configure.
  8. When all information is entered, click OK to save the configuration properties. The configuration parameters are checked for validity and the configuration is attempted at the host server or cell manager.



After you click OK, WAS completes the following actions: These processes might take some time depending on network traffic or the speed of your machine.


What to do next

If the configuration is successful, the parameters are copied to all subordinate servers, including the node agents. To complete the embedded Tivoli Access Manager client configuration, restart all of the servers, including the host server, and enable WAS security.

Creating the security administrative user
Tivoli Access Manager JACC provider configuration
Tivoli Access Manager JACC provider settings
JACC provider configuration properties for Tivoli Access Manager