Set global sign-on principal mapping


 

+

Search Tips   |   Advanced Search

 

To create a new application login that uses the TAM GSO database to store the login credentials.

  1. Create a new JAAS login configuration...

    Security | Global security | Authentication | Java Authentication and Authorization Service | Application logins | New

  2. Enter the alias name of the new application login. Click Apply.

  3. Under Additional properties, click JAAS login modules to define the JAAS Login Modules.

  4. Click New and enter the following information:

    Module class name com.tivoli.pdwas.gso.AMPrincipalMapper
    Use Login Module Proxy enable
    Authentication strategy REQUIRED

  5. Click Apply

  6. Under Additional Properties section, click Custom Properties to define login module-specific values that are passed directly to the underlying login modules.

  7. Click New.

    The TAM principal mapping module uses the authDataAlias configuration string to retrieve the correct user name and password from the security configuration. The authDataAlias attribute that is passed to the module is configured for the J2C connection factory. Because the authDataAlias attribute is an arbitrary string that is entered at configuration time, the following scenarios are possible:

    • The authDataAlias attribute contains both the global sign-on (GSO) resource name and the user name. The format of this string is "Resource/User".

    • The authDataAlias attribute contains the GSO Resource name only. The user name is determined by using the Subject of the current session.

    The scenario to use is determined by a JAAS configuration option, as shown here:

    • Name: com.tivoli.pd.as.gso.AliasContainsUserName

    • Value: True, if the alias contains the user name; false, if the user name must be retrieved from the security context

    When entering authDataAlias attributes through the WAS admin console, the node name is automatically pre-pended to the alias. The JAAS configuration entry determines whether this node name is removed or included as part of the resource name, as shown here:

    • Name: com.tivoli.pd.as.gso.AliasContainsNodeName

    • Value: True, if the alias contains the node name

    If the PdPerm.properties configuration file is not located in the JAVA_HOME/PdPerm.properties default location, then you also need to add the following property:

    • Name: com.tivoli.pd.as.gso.AMCfgURL

    • Value: file: ///path to PdPerm.properties

    Enter each new parameter using the following scenario information as a guide, then click Apply.

    Scenario 1

    Auth Data Alias - BackendEIS/eisUser

    Resource - BackEndEIS

    User - eisUser

    Principal Mapping Parameters


    Table 1. Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file: ///jlog_props_path
    debug false

    Scenario 2

    Auth Data Alias - BackendEIS

    Resource - BackEndEIS

    User - Currently authenticated WAS user

    Principal Mapping Parameters


    Table 2. Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file: ///jlog_props_path
    debug false

    Scenario 3

    Auth Data Alias - nodename/BackendEIS/eisUser  

    Resource - BackEndEIS

    User - eisUser

    Principal Mapping Parameters


    Table 3. Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file: ///jlog_props_path
    debug false

    Scenario 4

    Auth Data Alias - nodename/BackendEIS/eisUser  

    Resource - nodename/BackEndEIS (notice that node name is not removed)

    User - eisUser

    Principal Mapping Parameters


    Table 4. Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file: ///jlog_props_path
    debug false

    Scenario 5

    Auth Data Alias - BackendEIS/eisUser

    Resource - BackEndEIS

    User - eisUser

    Principal Mapping Parameters


    Table 5. Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file: ///jlog_props_path
    debug false

    Scenario 6

    Auth Data Alias - nodename/BackendEIS/eisUser

    Resource - nodename/BackendEIS/eisUser
                                 (notice that the resource is the same as Auth Data Alias).

    User - Currently authenticated WAS user

    Principal Mapping Parameters


    Table 6. Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file: ///jlog_props_path
    debug false

  8. Create the J2C authentication aliases. The user name and password that are assigned to these alias entries are irrelevant because TAM is responsible for providing user names and passwords. However, the user name and password that are assigned to the J2C authentication aliases need to exist so that they can be selected for the J2C connection factory in the admin console.

    To create the J2C authentication aliases, from the WAS admin console, click Security >Global security. Under Authentication, click Java Authentication and Authorization Service > J2C authentication data, and then click New for each new entry. Refer to the previous table for scenario inputs. The connection factories for each resource adapter that need to use the GSO database must be configured to use the TAM Principal mapping module:

    1. From the WAS admin console, click...

      Applications | Enterprise Applications | myapp | Resourcer references

      Note that J2C connection factories must be already configured for the selected application. To configure a new J2C connection factory, see Set Java EE Connector connection factories in the admin console.

    2. Under Additional properties, click Resource Adapter.

      The resource adapter can be standalone and does not need to be packaged with the application. The resource adapter is configured from Resources > Resource Adapters for standalone scenarios.

    3. Under Additional properties, click J2C Connection Factories.

    4. Click New and enter the connection factory properties.

    5. When finished, click Apply > Save.

    Custom mapping configuration for the connection factory is deprecated in WAS V6. To configure the GSO credential mapping, use the Map Resource References to Resources panel on the admin console.

    See the J2EE connector security article.

 

Related concepts

Global single sign-on principal mapping for authentication
J2EE connector security

 

Related tasks

Set Java EE Connector connection factories in the admin console
Set single sign-on capability with TAM or WebSEAL