Tivoli Access Manager integration as the JACC provider
Tivoli Access Manager uses the Java Authorization Contract for Container (JACC) model in WebSphere Application Server to perform access checks.
Tivoli Access Manager consists of the following components:
- Run time
- Client configuration
- Authorization table support
- Access check
- Authentication using the PDLoginModule module
For the run-time changes, Tivoli Access Manager implements the PolicyConfigurationFactory and the PolicyConfiguration interfaces, as required by JACC. During the application installation, the security policy information in the deployment descriptor and the authorization table information in the binding files are propagated to the Tivoli provider using these interfaces. The Tivoli provider stores the policy and the authorization table information in the Tivoli Access Manager policy server by calling the respective Tivoli Access Manager APIs.
Tivoli Access Manager also implements the RoleConfigurationFactory and the RoleConfiguration interfaces. These interfaces are used to ensure that the authorization table information is passed to the provider with the policy information. See Interfaces that support JACC for more information about these interfaces.
To configure the Tivoli Access Manager client, we can use either the console or wsadmin scripting. We can access the console panels for the Tivoli Access Manager client configuration by clicking Security > Global security > External authorization providers. Under Related Items, click External JACC provider. The Tivoli client must be set up to use the Tivoli Access Manager JACC Provider.
For more information about how to configure the Tivoli Access Manager client, see Tivoli Access Manager JACC provider configuration.
Tivoli Access Manager uses the RoleConfiguration interface to ensure that the authorization table information is passed to the Tivoli Access Manager provider when the application is installed or deployed. When an application is deployed or edited, the set of users and groups for the user or group-to-role mapping are obtained from the Tivoli Access Manager server, which shares the same LDAP server as WebSphere Application Server. This sharing is accomplished by plugging into the application management users or groups-to-role console panels. The management APIs are called to obtain users and groups rather than relying on the WAS-configured LDAP registry.
The user or group-to-role mapping is on the application level, not on the node level.
When WebSphere Application Server is configured to use the JACC provider for Tivoli Access Manager , it passes the information to Tivoli Access Manager to make the access decision. The Tivoli Access Manager policy implementation queries the local replica of the access control list (ACL) database for the access decision.
The custom login module in WAS can do the authentication. This login module is plugged in before the WAS-provided login modules. The custom login modules can provide information that can be stored in the Subject. If the required information is stored, no additional registry calls are made to obtain that information.
As part of the JACC integration, the Tivoli Access Manager-provided PDLoginModule module is also used to plug into WebSphere Application Server for LTPA, Kerberos (KRB5) and SWAM authentication. The PDLoginModule module is modified to authenticate with the user ID or password. The module is also used to fill in the required attributes in the Subject so that no registry calls are made by the login modules in WebSphere Application Server. The information placed in the Subject is available for the Tivoli Access Manager policy object to use for access checking.
SWAM is deprecated in WebSphere Application Server v8.5 and will be removed in a future release.
When using Kerberos authentication mechanism and Tivoli Access Manager, TAM loginModule creates the PDPrincipal without first going through the Tivoli Access Manager authentication process. Also when using Kerberos authentication mechanism and Tivoli Access Manager, the Tivoli Access Manager policy is not enforced starting in WAS v7.
Related concepts
Authorization providers JACC providers JACC support in WebSphere Application Server
Related tasks
Enable an external JACC provider Authorizing access to Java EE resources using Tivoli Access Manager Propagating security policy of installed applications to a JACC provider
Interfaces that support JACC Security authorization provider troubleshooting tips
Related information:
IBM Tivoli Access Manager for e-business information center