+

Search Tips   |   Advanced Search

Deploy secured applications


Overview

Deploying applications that have security constraints (secured applications) is not much different than deploying applications that do not contain any security constraints. The only difference is that we might need to assign users and groups to roles for a secured application. The secured application requires that we have the correct active user registry.

Before performing this task, verify that you already designed, developed, and assembled an application with all the relevant security configurations.

See:

In this context, deploying and installing an application are considered the same task.To deploy a newly secured application click...

Applications | Install New Application

...and follow the prompts to complete the installation steps. One of the required steps to deploy secured applications is to assign users and groups to roles defined in the application.

During the installation of a new application, the role definition is completed as part of the step that maps security roles to users and groups. If this assignment has already been completed by using an assembly tool, we can still confirm the mapping by following this installation step. We can add new users and groups and modify existing information during this step.

If the application supports delegation, a RunAs role will already be defined in the application. If the delegation policy is set to Specified Identity during assembly, the intermediary invokes a method by using an identity setup during deployment. Use the RunAs role to specify the identity under which the downstream invocations are made. For example, if the RunAs role is assigned user bob and the client alice is invoking a servlet, with delegation set that calls the enterprise beans, the method on the enterprise beans is invoked with bob as the identity.

As part of the new application installation and deployment process, one of the steps is to map or modify users to the RunAs roles. Use this step to assign new users or modify existing users.


Tivoli Access Manager considerations

When TAM is enabled the deployment and undeployment of applications might take a long time or even time out. Disabling the ATCCache might resolve the issue. The ATCCache exists to help with performance during application deployment and undeployment. With some applications, especially those with many modules, the cache can actually have a negative impact on performance in these areas. To disable the ATCCache, navigate to...

config/cells/cell_name

...and modify the file...

amwas.amjacc.template.properties

...to set...

com.tivoli.pd.as.atcc.ATCCache.enabled=false

Because embedded TAM is already configured, update the configuration files with that property. For each instance in the cell, go to...

profiles/<profile_name>/etc/tam

...and modify any file ends as amjacc.properties to set...

com.tivoli.pd.as.atcc.ATCCache.enabled=false

The cell must be restarted before these changes take effect.

Note that the steps are common whether we are installing an application or modifying an existing application.

 

Install and deploy the application

  1. Click...

    Applications | Install New Application

    Complete the required steps until you see the step for mapping security roles to users and groups.

  2. If the application contains roles, assign users and groups to roles.

    At this step during the installation, under Additional Properties, click...

    Map security roles to users and groups

  3. If RunAs roles exist in the application, assign users to RunAs roles. At this step during the installation, under Additional Properties, click Map RunAs roles to users.

  4. If needed, click...

    Correct use of System Identity to specify RunAs roles

    Complete this action if the application has delegation set to use system identity, which is applicable to enterprise beans only. System identity uses the WAS security server ID to invoke downstream methods. Using system identity is not recommended as this ID has more privileges than other identities in accessing WAS internal methods. This task is provided to make sure that the deployer is aware that the methods listed in the panel have system identity set up for delegation and to correct them if necessary. When the internalServerId feature is used, runAs with system identity is not supported; specify RunAs roles here.

  5. Complete the remaining non-security related steps to finish installing and deploying the application.

 

Next steps

After a secured application is deployed, verify that we can access the resources in the application with the correct credentials. For example, if the application has a protected Web module, make sure only the users that you assigned to the roles can use the application.


Role-based authorization

 

Related tasks


Updating and redeploying secured applications
Assigning users to RunAs roles
Secure applications during assembly and deployment
Enable security

 

Related


Security role to user or group mapping
Security enablement followed by errors