Configure additional authorization servers for ISAM
Security Access Manager secure domains can contain more than one authorization server. Having multiple authorization servers is useful for providing a failover capability as well as improving performance when the volume of access requests is large.
Tasks
- Refer to the ISAM Base Administration Guide for details on installing and configuring authorization servers. This document is available in the IBM ISAM for e-business information center.
- Re-configure the Java Authorization Contract for Containers (JACC) provider using the $AdminTask reconfigureTAM interactive wsadmin command. Enter all new and existing options. The following table lists the information that we are asked to provide for the reconfigureTAM command. The table also lists the properties that apply to the configureTAM and unconfigureTAM commands.
Property Default Relevant command Description WebSphere Application Server node name *
Specify a single node or enter an asterisk (*) to run the configuration task on all of the application server instances including the deployment manager, node agents, and servers.
ISAM Policy Server Default port: 7135
Enter the name of the ISAM policy server and the connection port. Use the format, policy_server : port. The policy server communication port is set at the time of Tivoli Access Manager configuration. ISAM Authorization Server Default port: 7136
Enter the name, port, and priority of each configured ISAM authorization server. Use the format auth_server : port : priority. The authorization server communication port is set at the time of ISAM configuration. We can specify more than one authorization server by separating the entries with commas. Having more than one authorization server configured is useful for failover and performance. The priority value is the order of authorization server use. For example: auth_server1:7136:1,auth_server2:7137:2. A priority of 1 is still required when we use a single authorization server. WebSphere Application Server administrator's distinguished name
Enter the full distinguished name of the security primary administrator ID for WebSphere Application Server as created in Create the security administrative user for ISAM. For example: cn=wasadmin,o=organization,c=country ISAM user registry distinguished name suffix
Enter the suffix that we have set up in the user registry to contain the user and groups for ISAM. For example: o=organization,c=country ISAM administrator's user name sec_master
Enter the ISAM administration user ID that we created when we configured ISAM. This ID is usually sec_master. ISAM administrator's user password
Enter the password associated with the ISAM administration user ID. ISAM security domain Default
Enter the name of the ISAM security domain used to store users and groups. If a security domain is not already established at the time of ISAM configuration, click Return to accept the default. Embedded ISAM listening port set 8900:8999
WAS needs to listen on a TCP/IP port for authorization database updates from the policy server. More than one process can run on a particular node and machine so a list of ports is required for the processes. Enter the ports used as listening ports by ISAM clients, separated by a comma. If we specify a range of ports, separate the lower and higher values by a colon. For example, 7999, 9990:9999. Defer No
Set this option to yes to defer the configuration of the management server until the next restart. Set the option to no if we want the configuration of the management server to occur immediately. Managed servers are configured on their next restart. Force No
Set this value to yes to ignore errors during the unconfiguration process and allow the entire process to complete. Set the value to no if we want errors to stop the unconfiguration process. This option is especially useful if the environment needs to be cleaned up and problems are occurring that do not allow the entire cleanup process to complete successfully.
Enable an external JACC provider