+

Search Tips   |   Advanced Search

Configure global sign-on principal mapping

We can create a new application login that uses the Tivoli Access Manager GSO database to store the login credentials.

  1. Click Security > Global security > Authentication, click Java Authentication and Authorization Service > Application logins.

  2. Click New to create a new JAAS login configuration.

  3. Enter the alias name of the new application login. Click Apply.

  4. Under Additional properties, click JAAS login modules to define the JAAS Login Modules.

  5. Click New and enter the following information:


    Module class name: com.tivoli.pdwas.gso.AMPrincipalMapper
    Use Login Module Proxy: enable
    Authentication strategy: REQUIRED

  6. Click Apply

  7. Under Additional Properties section, click Custom Properties to define login module-specific values that are passed directly to the underlying login modules.

  8. Click New.

    The Tivoli Access Manager principal mapping module uses the authDataAlias configuration string to retrieve the correct user name and password from the security configuration.

    The authDataAlias attribute that is passed to the module is configured for the J2C connection factory. Because the authDataAlias attribute is an arbitrary string that is entered at configuration time, the following scenarios are possible:

    • The authDataAlias attribute contains both the global sign-on (GSO) resource name and the user name. The format of this string is "Resource/User".

    • The authDataAlias attribute contains the GSO Resource name only. The user name is determined using the Subject of the current session.

    The scenario to use is determined by a JAAS configuration option, as shown here:

    • Name: com.tivoli.pd.as.gso.AliasContainsUserName

    • Value: True, if the alias contains the user name; false, if the user name must be retrieved from the security context

    When entering authDataAlias attributes through the WAS administrative console, the node name is automatically pre-pended to the alias. The JAAS configuration entry determines whether this node name is removed or included as part of the resource name, as shown here:

    • Name: com.tivoli.pd.as.gso.AliasContainsNodeName

    • Value: True, if the alias contains the node name

    If the PdPerm.properties configuration file is not located in the JAVA_HOME/PdPerm.properties default location, then we also need to add the following property:

    • Name: com.tivoli.pd.as.gso.AMCfgURL

    • Value: file:///path to PdPerm.properties

    Enter each new parameter using the following scenario information as a guide, then click Apply.

    Sceanrio 1

    • Auth Data Alias - BackendEIS/eisUser

    • Resource - BackEndEIS

    • User - eisUser

    • Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 2

    • Auth Data Alias - BackendEIS

    • Resource - BackEndEIS

    • User - Currently authenticated WebSphere Application Server user

    • Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 3

    • Auth Data Alias - nodename/BackendEIS/eisUser

    • Resource - BackEndEIS

    • User - eisUser

    • Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 4

    • Auth Data Alias - nodename/BackendEIS/eisUser

    • Resource - nodename/BackEndEIS (notice that node name is not removed)

    • User - eisUser

    • Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 5

    • Auth Data Alias - BackendEIS/eisUser

    • Resource - BackEndEIS

    • User - eisUser

    • Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 6

    • Auth Data Alias - nodename/BackendEIS/eisUser

    • Resource - nodename/BackendEIS/eisUser (notice that the resource is the same as Auth Data Alias).

    • User - Currently authenticated WebSphere Application Server user

    • Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

  9. Create the Java 2 Connector (J2C) authentication aliases. The user name and password assigned to these alias entries are irrelevant because Tivoli Access Manager is responsible for providing user names and passwords. However, the user name and password assigned to the J2C authentication aliases need to exist so that they can be selected for the J2C connection factory in the administrative console.

    To create the J2C authentication aliases, from the WAS administrative console, click Security Global security. Under Authentication, click Java Authentication and Authorization Service J2C authentication data, and then click New for each new entry. Refer to the previous table for scenario inputs.

    The connection factories for each resource adapter that need to use the GSO database must be configured to use the Tivoli Access Manager Principal mapping module:

    1. From the WAS administrative console, click Applications Enterprise Applications application_nameResourcer references. Note that J2C connection factories must be already configured for the selected application. To configure a new J2C connection factory, see the Configuring Java EE Connector connection factories in the administrative console article.

    2. Under Additional properties, click Resource Adapter.

      The resource adapter can be stand-alone and does not need to be packaged with the application. The resource adapter is configured from Resources Resource Adapters for stand-alone scenarios.

    3. Under Additional properties, click J2C Connection Factories.

    4. Click New and enter the connection factory properties.

    5. When finished, click Apply Save.

    Custom mapping configuration for the connection factory is deprecated in WAS v6. To configure the GSO credential mapping, use the Map Resource References to Resources panel on the administrative console. For more information, see the J2EE connector security article.


Related concepts

  • Global single sign-on principal mapping for authentication
  • Java EE connector security


    Related tasks

  • Configure single sign-on capability with Tivoli Access Manager or WebSEAL
  • Configure Java EE Connector connection factories in the administrative console