Configure the JACC provider for ISAM using the administrative console

Configure Security Access Manager as the Java Authorization Contract for Containers (JACC) provider using the administrative console.

Before starting:

1. Verify that all of the managed servers, including node agents, are started.
2. Create the security administrative user for ISAM

The following configuration is performed on the WAS management server. When we click either Apply or OK, configuration information is checked for consistency, saved, and applied if successful. This configuration information is propagated to the nodes when synchronization is performed. Restart the nodes for the configuration changes to take effect.

1. From the Dmgr click...
   Security > Global security > External authorization providers > General properties > External authorization using a JACC provider > Related items > External JACC provider > Additional properties > ISAM Properties

2. Enter the following information:

   Enable embedded ISAM

   Enable ISAM.

   Ignore errors during embedded ISAM disablement

   Unconfigure the JACC provider. Do not select this option during configuration.

   Client listening port set

   WAS must listen using a TCP/IP port for authorization database updates from the policy server. More than one process can run on a particular node or machine. More than one authorization server can be specified by separating the entries with commas. Specifying more than one authorization server at a time is useful for reasons of failover and performance. Enter the listening ports used by ISAM clients, which are separated by a comma. If a range of ports is specified, separate the lower and higher values by a colon (:) (for example, 7999, 9990:999).

   Policy server

   Enter the name of the ISAM policy server and the connection port. Use the policy_server:port form. The policy communication port is set at the time of the ISAM configuration, and the default is 7135.

   Authorization servers

   Enter the name of the ISAM authorization server. Use the auth_server:port:priority form. The authorization server communication port is set at the time of the ISAM configuration, and the default is 7136. The priority value is determined by the order of the authorization server use (for example, auth_server1:7136:1 and auth_server2:7137:2). A priority value of 1 is required when configuring against a single authorization server.

   Administrator user name

   Enter the ISAM administrator user name created when ISAM was configured; it is usually sec_master.

   Administrator user password

   Enter the ISAM administrator password.

   User registry distinguished name suffix

   Enter the distinguished name suffix for the user registry that is shared between ISAM and WAS, for example, o=ibm, c=us.

   Security domain

   Create more than one security domain in ISAM, each with its own administrative user. Users, groups and other objects are created within a specific domain, and are not permitted to access resource in another domain. Enter the name of the ISAM security domain used to store WAS users and groups. If a security domain is not established at the time of the ISAM configuration, leave the value as Default.

   Administrator user distinguished name

   Enter the full distinguished name of the WAS security administrator ID, for example...

   cn=wasdmin, o=organization, c=country

   The ID name must match the Server user ID on the LDAP User Registry panel in the administrative console. To access the LDAP User Registry panel, click...

   Security > Global security > User account repository > Available realm definition > Standalone LDAP registry > Configure

3. When all information is entered, click OK to save the configuration properties. The configuration parameters are checked for validity and the configuration is attempted at the host server or cell manager.

After clicking OK, WAS completes the following actions:

• Validates the configuration parameters.
• Configures the host server or cell manager.

These processes might take some time depending on network traffic or the speed of our machine.

What to do next

If the configuration is successful, the parameters are copied to all subordinate servers, including the node agents. To complete the embedded ISAM client configuration, we must restart all of the servers, including the host server, and enable WAS security.

Subtopics

• Create the security administrative user for ISAM
  
• ISAM JACC provider configuration
  
• ISAM JACC provider settings
  
• JACC provider configuration properties for ISAM
  
• Static role caching properties
  
• Dynamic role caching properties
  
• Object caching properties
  
• Role-based policy framework properties
  
• System-dependent configuration properties
  

Enable an external JACC provider

Disable embedded ISAM client

Configure the JACC provider for ISAM using the wsadmin utility

Disable embedded ISAM client using wsadmin