Set the JACC provider for Tivoli Access Manager admin console
Use this task to configure Tivoli Access Manager Java Authorization Contract for Containers (JACC) provider using the admin console.
Before configuring TAM as the JACC provider...
- Start all managed servers, including node agents
- Create a security admin user
The following configuration is performed on the management server. When you click either Apply or OK, configuration information is checked for consistency, saved, and applied if successful.
This configuration information is propagated to the nodes when synchronization is performed. Restart the nodes for the configuration changes to take effect.
To configure TAM as the JACC provider using the admin console...
- Log on to the WAS admin console...
- Go to...
Security | Global security | External authorization providers | General properties | External authorization using a JACC provider | Related items | External JACC provider | Additional properties | Tivoli Access Manager Properties
- Enter the following information:
- Enable embedded TAM
- Select this option to enable TAM.
- Ignore errors during embedded TAM disablement
- Select this option when you want to unconfigure the JACC provider. Do not select this option during configuration.
- Client listening port set
- WAS must listen using a TCP/IP port for authorization database updates from the policy server. More than one process can run on a particular node or machine. More than one authorization server can be specified by separating the entries with commas. Specifying more than one authorization server at a time is useful for reasons of failover and performance. Enter the listening ports used by TAM clients, separated by a comma. If a range of ports is specified, separate the lower and higher values by a colon (:) (for example, 7999, 9990:999).
- Policy server
- Enter the name of the TAM policy server and the connection port. Use the policy_server:port form. The policy communication port is set at the time of the TAM configuration, and the default is 7135.
- Authorization servers
- Enter the name of the TAM authorization server. Use the auth_server:port:priority form. The authorization server communication port is set at the time of the TAM configuration, and the default is 7136. The priority value is determined by the order of the authorization server use (for example, auth_server1:7136:1 and auth_server2:7137:2). A priority value of 1 is required when configuring against a single authorization server.
- Administrator user name
- Enter the TAM administrator user name created when TAM was configured; it is usually sec_master.
- Administrator user password
- Enter the TAM administrator password.
- User registry distinguished name suffix
- Enter the distinguished name suffix for the user registry that is shared between TAM and WAS, for example, o=ibm, c=us.
- Security domain
- We can create more than one security domain in TAM, each with its own admin user. Users, groups and other objects are created within a specific domain, and are not permitted to access resource in another domain. Enter the name of the TAM security domain used to store WAS users and groups.
If a security domain is not established at the time of the TAM configuration, leave the value as Default.
- Administrator user distinguished name
- Enter the full distinguished name of the WAS security administrator ID, for example...cn=wasadmin, o=organization, c=country
The ID name must match the Server user ID on the LDAP User Registry panel in the admin console. To access the LDAP User Registry panel, click...Security | Global security | User account repository | Standalone LDAP registry | Configure
- When all information is entered, click OK to save the configuration properties. The configuration parameters are checked for validity and the configuration is attempted at the host server or cell manager.
After you click OK, WAS completes the following actions:
- Validates the configuration parameters.
- Configures the host server or cell manager.
These processes might take some time depending on network traffic or the speed of the machine.
What to do next
If the configuration is successful, the parameters are copied to all subordinate servers, including the node agents. To complete the embedded TAM client configuration, restart all of the servers, including the host server, and enable WAS security.
Related tasksCreate the security admin user for TAM
TAM JACC provider configuration
TAM JACC provider settings
JACC provider configuration properties for TAM
Disable embedded TAM client
Set the JACC provider for TAM using the wsadmin utility
Disable embedded TAM client using wsadmin
Enable an external JACC provider