Configure global sign-on principal mapping

We can create a new application login that uses the Security Access Manager GSO database to store the login credentials.

  1. To create a new JAAS login configuration.

      Security > Global security > Authentication > Java Authentication and Authorization Service > Application logins > New

  2. Enter the alias name of the new application login. Click Apply.

  3. To define the JAAS Login Modules, click..

      Additional properties > JAAS login modules > New

    Enter the following information:

      Module class name: com.tivoli.pdwas.gso.AMPrincipalMapper
      Use Login Module Proxy: enable
      Authentication strategy: REQUIRED

  4. Click Apply

  5. To define login module-specific values passed directly to the underlying login modules, click...

      Additional Properties > Custom Properties > New

    The ISAM principal mapping module uses the authDataAlias configuration string to retrieve the correct user name and password from the security configuration. The authDataAlias attribute that is passed to the module is configured for the J2C connection factory. Because the authDataAlias attribute is an arbitrary string that is entered at configuration time, the following scenarios are possible:

    • The authDataAlias attribute contains both the global sign-on (GSO) resource name and the user name. The format of this string is "Resource/User".
    • The authDataAlias attribute contains the GSO Resource name only. The user name is determined using the Subject of the current session.

    The scenario to use is determined by a JAAS configuration option, as shown here:

    • Name: com.tivoli.pd.as.gso.AliasContainsUserName
    • Value: True, if the alias contains the user name; false, if the user name must be retrieved from the security context

    When entering authDataAlias attributes through the WebSphere Application Server dmgr console, the node name is automatically pre-pended to the alias. The JAAS configuration entry determines whether this node name is removed or included as part of the resource name, as shown here:

    • Name: com.tivoli.pd.as.gso.AliasContainsNodeName
    • Value: True, if the alias contains the node name

    If the PdPerm.properties configuration file is not located in the JAVA_HOME/PdPerm.properties default location, then you also need to add the following property:

    • Name: com.tivoli.pd.as.gso.AMCfgURL
    • Value: file:///path to PdPerm.properties

    Enter each new parameter using the following scenario information as a guide, then click Apply.

    Scenario 1

      Auth Data Alias - BackendEIS/eisUser
      Resource - BackEndEIS
      User - eisUser

      Principal Mapping Parameters.

      Name Value
      delegate com.tivoli.pdwas.gso.AMPrincipalMapper
      com.tivoli.pd.as.gso.AliasContainsUserName true
      com.tivoli.pd.as.gso.AliasContainsNodeName false
      com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
      debug false

    Scenario 2

      Auth Data Alias - BackendEIS
      Resource - BackEndEIS
      User - Currently authenticated WAS user

      Principal Mapping Parameters.

      Name Value
      delegate com.tivoli.pdwas.gso.AMPrincipalMapper
      com.tivoli.pd.as.gso.AliasContainsUserName false
      com.tivoli.pd.as.gso.AliasContainsNodeName false
      com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
      debug false

    Scenario 3

      Auth Data Alias - nodename/BackendEIS/eisUser
      Resource - BackEndEIS
      User - eisUser

      Principal Mapping Parameters.

      Name Value
      delegate com.tivoli.pdwas.gso.AMPrincipalMapper
      com.tivoli.pd.as.gso.AliasContainsUserName true
      com.tivoli.pd.as.gso.AliasContainsNodeName true
      com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
      debug false

    Scenario 4

      Auth Data Alias - nodename/BackendEIS/eisUser  
      Resource - nodename/BackEndEIS (notice that node name is not removed)
      User - eisUser

      Principal Mapping Parameters.

      Name Value
      delegate com.tivoli.pdwas.gso.AMPrincipalMapper
      com.tivoli.pd.as.gso.AliasContainsUserName true
      com.tivoli.pd.as.gso.AliasContainsNodeName false
      com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
      debug false

    Scenario 5

      Auth Data Alias - BackendEIS/eisUser
      Resource - BackEndEIS
      User - eisUser

      Principal Mapping Parameters.

      Name Value
      delegate com.tivoli.pdwas.gso.AMPrincipalMapper
      com.tivoli.pd.as.gso.AliasContainsUserName false
      com.tivoli.pd.as.gso.AliasContainsNodeName true
      com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
      debug false

    Scenario 6

      Auth Data Alias - nodename/BackendEIS/eisUser
      Resource - nodename/BackendEIS/eisUser
      (notice the resource is the same as Auth Data Alias).
      User - Currently authenticated WAS user

      Principal Mapping Parameters.

      Name Value
      delegate com.tivoli.pdwas.gso.AMPrincipalMapper
      com.tivoli.pd.as.gso.AliasContainsUserName false
      com.tivoli.pd.as.gso.AliasContainsNodeName false
      com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
      debug false

  6. Create the Java 2 Connector (J2C) authentication aliases. The user name and password assigned to these alias entries are irrelevant because ISAM is responsible for providing user names and passwords. However, the user name and password assigned to the J2C authentication aliases need to exist so they can be selected for the J2C connection factory in the dmgr console.

    To create the J2C authentication aliases, from the dmgr console, click Security Global security. Under Authentication, click Java Authentication and Authorization Service J2C authentication data, and then click New for each new entry. Refer to the previous table for scenario inputs.

    The connection factories for each resource adapter that need to use the GSO database must be configured to use the ISAM Principal mapping module:

    1. From the dmgr console, click Applications Enterprise Applications application_nameResourcer references. Note that J2C connection factories must be already configured for the selected application. To configure a new J2C connection factory, see the Configuring Java EE Connector connection factories in the dmgr console article.

    2. Under Additional properties, click Resource Adapter.

      The resource adapter can be stand-alone and does not need to be packaged with the application. The resource adapter is configured from Resources Resource Adapters for stand-alone scenarios.

    3. Under Additional properties, click J2C Connection Factories.

    4. Click New and enter the connection factory properties.

    5. When finished, click Apply Save.

    Custom mapping configuration for the connection factory is deprecated in WAS v6. To configure the GSO credential mapping, use the Map Resource References to Resources panel on the dmgr console. For more information, see the J2EE connector security article.


Related concepts:

Global single sign-on principal mapping for authentication
Java EE connector security


Related


Configure SSO capability with ISAM WebSEAL
Configure Java EE Connector connection factories in the dmgr console


+

Search Tips   |   Advanced Search