WAS v8.5 > Secure applications > Authorizing access to resources > Authorizing access to Java EE resources using Tivoli Access ManagerEnable an external JACC provider
Use this topic to enable an external JACC provider using the dmgr console.
The Java Authorization Contract for Containers (JACC) defines a contract between Java EE containers and authorization providers. This contract enables any third-party authorization providers to plug into a Java EE 5 application server, such as WebSphere Application Server to make the authorization decisions when a Java EE resource is accessed.
- From the dmgr console, click Security > Global security > External authorization providers.
- Under Related items, click External JACC provider.
- The fields are set for Tivoli Access Manager by default. If we do not plan to use Tivoli Access Manager as the JACC provider, replace these fields with the details for the own external JACC provider.
- If any custom properties are required by the JACC provider, click Custom properties under Additional properties and enter the properties. When using the Tivoli Access Manager, use the Tivoli Access Manager properties link instead of the Custom properties link. For more information, see Configure the JACC provider for Tivoli Access Manager .
- On the External authorization providers panel, select the External authorization using a JACC provider option and click OK.
- Complete the remaining steps to enable security. If we are using Tivoli Access Manager, select LDAP as the user registry and use the same LDAP server. For more information on configuring LDAP registries, see Configure LDAP user registries.
- Restart all servers to make these changes effective.
Subtopics
- Configure the JACC provider for Tivoli Access Manager
Use this task to configure Tivoli Access Manager as the Java Authorization Contract for Containers (JACC) provider using the dmgr console.- Administer security users and roles with Tivoli Access Manager
Use these steps to manage user-to-role mappings and user-to-group mappings for applications.- Configure Tivoli Access Manager groups
Use these steps to configure the dmgr console to add objects of the accessGroup class to the list of object classes that represent user registry groups.- Configure additional authorization servers for Tivoli Access Manager
Tivoli Access Manager secure domains can contain more than one authorization server. Having multiple authorization servers is useful for providing a failover capability as well as improving performance when the volume of access requests is large.- Logging Tivoli Access Manager security
Use this topic to enable the trace specification to indicate tracing at the required level.- Interfaces that support JACC
WAS provides the RoleConfigurationFactory and the RoleConfiguration interfaces, which are similar to PolicyConfigurationFactory and PolicyConfiguration interfaces so the information stored in the bindings file can be propagated to the provider during installation. The implementation of these interfaces is optional.- Enable the JACC provider for Tivoli Access Manager
The Java Authorization Contract for Container (JACC) provider for Tivoli Access Manager is configured by default. Use this topic to enable the JACC provider for Tivoli Access Manager.- Enable embedded Tivoli Access Manager
Embedded Tivoli Access Manager is not enabled by default, and you need to configure it for use.- Disable embedded Tivoli Access Manager client
To unconfigure the JACC provider for Tivoli Access Manager, we can use the dmgr console.- Forcing the unconfiguration of the Tivoli Access Manager JACC provider
If we find we cannot restart WAS after configuring the JACC provider for Tivoli Access Manager a utility is available to clear the security configuration and return WAS to an operable state.- Propagating security policies and roles for previously deployed applications
Use this task to propagate security policies and roles to the external Java Authorization Contract for Containers (JACC) provider.- Configure the JACC provider for Tivoli Access Manager
Use this task to configure Tivoli Access Manager as the Java Authorization Contract for Containers (JACC) provider using the dmgr console.- Administer security users and roles with Tivoli Access Manager
Use these steps to manage user-to-role mappings and user-to-group mappings for applications.- Configure Tivoli Access Manager groups
Use these steps to configure the dmgr console to add objects of the accessGroup class to the list of object classes that represent user registry groups.- Configure additional authorization servers for Tivoli Access Manager
Tivoli Access Manager secure domains can contain more than one authorization server. Having multiple authorization servers is useful for providing a failover capability as well as improving performance when the volume of access requests is large.- Logging Tivoli Access Manager security
Use this topic to enable the trace specification to indicate tracing at the required level.- Interfaces that support JACC
WAS provides the RoleConfigurationFactory and the RoleConfiguration interfaces, which are similar to PolicyConfigurationFactory and PolicyConfiguration interfaces so the information stored in the bindings file can be propagated to the provider during installation. The implementation of these interfaces is optional.- Enable the JACC provider for Tivoli Access Manager
The Java Authorization Contract for Container (JACC) provider for Tivoli Access Manager is configured by default. Use this topic to enable the JACC provider for Tivoli Access Manager.- Enable embedded Tivoli Access Manager
Embedded Tivoli Access Manager is not enabled by default, and you need to configure it for use.- TAMConfig command group for AdminTask
We can use the Jython or Jacl scripting languages to configure embedded IBM Tivoli Access Manager with wsadmin. The commands and parameters in the TAMConfig group can be used to configure or unconfigure Tivoli Access Manager.- Disable embedded Tivoli Access Manager client
To unconfigure the JACC provider for Tivoli Access Manager, we can use the dmgr console.- Forcing the unconfiguration of the Tivoli Access Manager JACC provider
If we find we cannot restart WAS after configuring the JACC provider for Tivoli Access Manager a utility is available to clear the security configuration and return WAS to an operable state.- Propagating security policies and roles for previously deployed applications
Use this task to propagate security policies and roles to the external Java Authorization Contract for Containers (JACC) provider.
Related concepts:
Authorization providers
Tivoli Access Manager integration as the JACC provider
JACC providers
JACC support in WAS
Related
Authorizing access to Java EE resources using Tivoli Access Manager
Propagating security policy of installed applications to a JACC provider using wsadmin.sh
Reference:
External Java Authorization Contract for Containers provider settings
Interfaces that support JACC
Security authorization provider troubleshooting tips