Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authorizing access to resources > Authorizing access to Java EE resources using Tivoli Access Manager > Enable an external JACC provider
Enable the JACC provider for Tivoli Access Manager
The Java Authorization Contract for Container (JACC) provider for Tivoli Access Manager is configured by default. Use this topic to enable the JACC provider for Tivoli Access Manager.
Restriction: Do not perform this task if you are configuring the JACC provider for Tivoli Access Manager to supply authentication services only. Only perform this task for installations that require both Tivoli Access Manager authentication and authorization protection. The JACC provider for Tivoli Access Manager is configured by default. To enable the JACC provider for Tivoli Access Manager...
Procedure
- Click Security > Global security > External authorization providers.
- Select the External authorization using a JACC provider option, then click Apply.
- Under Related Items, click External JACC provider. The JACC provider settings for Tivoli Access Manager are displayed.
- Verify that the correct settings are present to work with your Tivoli Access Manager configuration. The following list shows the JACC provider configuration settings for Tivoli Access Manager.
See External Java Authorization Contract for Containers provider settings.
JACC provider configuration settings for Tivoli Access Manager. This table describes the JACC provider configuration settings for Tivoli Access Manager.
Field Value Name Tivoli Access Manager Description This field is optional and used as a reference. J2EE policy class name com.tivoli.pd.as.jacc.TAMPolicy Policy configuration factory class name com.tivoli.pd.as.jacc.TAMPolicyConfigurationFactory Role configuration factory class name com.tivoli.pd.as.jacc.TAMRoleConfigurationFactory JACC provider initialization class name com.tivoli.pd.as.jacc.cfg.TAMConfigInitialize Requires the EJB arguments policy context handler for access decisions false Supports dynamic module updates true - Under Additional properties, click Tivoli Access Manager properties and set the properties that are associated with the embedded Tivoli Access Manager. The following table explains the properties that are needed for the embedded Tivoli Access Manager. Some fields do not have default values.
Tivoli Access Manger properties. This table lists the Tivoli Access Manger properties.
Name Default value Description Enable embedded Tivoli Access Manager Unchecked When you select this check box, the embedded Tivoli Access Manager is configured or reconfigured. When you clear this check box, the embedded Tivoli Access Manager is unconfigured. Ignore errors during embedded Tivoli Access Manager disablement Unchecked If you check this check box and click OK or Apply, when you unconfigure the embedded Tivoli Access Manager, any unconfiguration errors are ignored and the process completes. If you do not check this check box, unconfiguration errors cause the unconfiguration process to stop. Client listening port 8900:8999 When the embedded Tivoli Access Manager is configured and running, it requires several ports to listen for updates to the access control list database for Tivoli Access Manager. The value in this field is a range of port numbers that Tivoli Access Manager can use for this purpose. The first 20% of this range is reserved for the dmgr. We can enter multiple ranges or individual port numbers in a line separated list. For example: 8900:8999
9100:9200
9999Policy server This field value specifies the name and port number of the configure and running Tivoli Access Manager policy server. The format is server:port For example:snapper.ibm.com:7135
Authorization servers This field contains the names, port numbers, and priorities of all of the configured and running Tivoli Access Manager authorization servers. This field must contain at least one authorization server. If multiple authorization servers are listed, those servers are used for failover. The server with priority 1 is used first with failover to server priority 2 and so on. The format is server:port:priority with each authorization server listed on a different line. For example: snapper.ibm.com:7136:1
turtle.ibm.com:7136:2Authorization user name sec_master This field value specifies the administrative user name for Tivoli Access Manager. Administrator user password This field value specifies the password for Tivoli Access Manager. User registry distinguished name suffix This field value is the suffix that is set up in the user registry to contain the users and groups for Tivoli Access Manager. For example using IBM Tivoli Directory Server: o=ibm,c=au
Security domain Default This field value specifies the configured security domain to use for the embedded Tivoli Access Manager. Administrator user distinguished name This field specifies the fully distinguished user name of the primary administrative user for WAS security. For example using IBM Tivoli Directory Server: cn=wasadmin,o=ibm,c=au
See Tivoli Access Manager JACC provider settings.
- Click OK.
- Save the settings by clicking Save at the top of the page.
- Log out of the WAS administrative console.
- Restart WAS. The security configuration is now replicated to managed servers and node agents. These other servers within a cell also require restarting before the security changes take effect.
Configure the JACC provider for Tivoli Access Manager
Configure the JACC provider for Tivoli Access Manager using the wsadmin utility
Enable an external JACC provider
Related
External Java Authorization Contract for Containers provider settings
Tivoli Access Manager JACC provider settings