Enable the JACC provider for ISAM

Enable the JACC provider for ISAM

The Java Authorization Contract for Container (JACC) provider for Security Access Manager is configured by default. Use this topic to enable the JACC provider for ISAM.

Restriction: Do not perform this task if we are configuring the JACC provider for ISAM to supply authentication services only. Only perform this task for installations that require both ISAM authentication and authorization protection. The JACC provider for ISAM is configured by default. To enable the JACC provider for ISAM:

Tasks

Go to:
Security > Global security > External authorization providers > External authorization using a JACC provider > Apply > Related Items > External JACC provider

...and verify that the correct settings are present to work with your ISAM configuration.

Field Value
Name ISAM
Description This field is optional and used as a reference.
J2EE policy class name com.tivoli.pd.as.jacc.TAMPolicy
Policy configuration factory class name com.tivoli.pd.as.jacc.TAMPolicyConfigurationFactory
Role configuration factory class name com.tivoli.pd.as.jacc.TAMRoleConfigurationFactory
JACC provider initialization class name com.tivoli.pd.as.jacc.cfg.TAMConfigInitialize
Requires the EJB arguments policy context handler for access decisions false
Supports dynamic module updates true

See External Java Authorization Contract for Containers provider settings.
Under Additional properties, click ISAM properties and set the properties associated with the embedded ISAM.

Name Default value Description
Enable embedded ISAM Unchecked When we select this check box, the embedded ISAM is configured or reconfigured. When we clear this check box, the embedded ISAM is unconfigured.
Ignore errors during embedded Security Access Manager disablement Unchecked If we check this check box and click OK or Apply, when you unconfigure the embedded ISAM, any unconfiguration errors are ignored and the process completes. If we do not check this check box, unconfiguration errors cause the unconfiguration process to stop.
Client listening port 8900:8999 When the embedded ISAM is configured and running, it requires several ports to listen for updates to the access control list database for ISAM. The value in this field is a range of port numbers that ISAM can use for this purpose. The first 20% of this range is reserved for the deployment manager. We can enter multiple ranges or individual port numbers in a line separated list. For example:
8900:8999
9100:9200
9999

Policy server
The name and port number of the configure and running ISAM policy server. The format is server:port
For example:snapper.ibm.com:7135

Authorization servers
This field contains the names, port numbers, and priorities of all of the configured and running ISAM authorization servers. This field must contain at least one authorization server. If multiple authorization servers are listed, those servers are used for failover. The server with priority 1 is used first with failover to server priority 2 and so on. The format is server:port:priority with each authorization server listed on a different line. For example:
snapper.ibm.com:7136:1
turtle.ibm.com:7136:2

Authorization user name sec_master The administrative user name for ISAM.
Administrator user password
The password for ISAM.
User registry distinguished name suffix
This field value is the suffix that is set up in the user registry to contain the users and groups for ISAM. For example using IBM Security Directory Server:
o=ibm,c=au

Security domain Default The configured security domain to use for the embedded ISAM.
Administrator user distinguished name
This field specifies the fully distinguished user name of the primary administrative user for WebSphere Application Server security. For example using IBM Security Directory Server:
cn=wasadmin,o=ibm,c=au

See ISAM JACC provider settings.

Click OK.
Save the settings by clicking Save.
Log out of the WAS administrative console.
Restart WAS. The security configuration is now replicated to managed servers and node agents. These other servers within a cell also require restarting before the security changes take effect.

Enable an external JACC provider
Configure the JACC provider for ISAM
Configure the JACC provider for ISAM using the wsadmin utility
External Java Authorization Contract for Containers provider settings
ISAM JACC provider settings

Field	Value
Name	ISAM
Description	This field is optional and used as a reference.
J2EE policy class name	com.tivoli.pd.as.jacc.TAMPolicy
Policy configuration factory class name	com.tivoli.pd.as.jacc.TAMPolicyConfigurationFactory
Role configuration factory class name	com.tivoli.pd.as.jacc.TAMRoleConfigurationFactory
JACC provider initialization class name	com.tivoli.pd.as.jacc.cfg.TAMConfigInitialize
Requires the EJB arguments policy context handler for access decisions	false
Supports dynamic module updates	true

Name	Default value	Description
Enable embedded ISAM	Unchecked	When we select this check box, the embedded ISAM is configured or reconfigured. When we clear this check box, the embedded ISAM is unconfigured.
Ignore errors during embedded Security Access Manager disablement	Unchecked	If we check this check box and click OK or Apply, when you unconfigure the embedded ISAM, any unconfiguration errors are ignored and the process completes. If we do not check this check box, unconfiguration errors cause the unconfiguration process to stop.
Client listening port	8900:8999	When the embedded ISAM is configured and running, it requires several ports to listen for updates to the access control list database for ISAM. The value in this field is a range of port numbers that ISAM can use for this purpose. The first 20% of this range is reserved for the deployment manager. We can enter multiple ranges or individual port numbers in a line separated list. For example: 8900:8999 9100:9200 9999
Policy server		The name and port number of the configure and running ISAM policy server. The format is server:port For example:snapper.ibm.com:7135
Authorization servers		This field contains the names, port numbers, and priorities of all of the configured and running ISAM authorization servers. This field must contain at least one authorization server. If multiple authorization servers are listed, those servers are used for failover. The server with priority 1 is used first with failover to server priority 2 and so on. The format is server:port:priority with each authorization server listed on a different line. For example: snapper.ibm.com:7136:1 turtle.ibm.com:7136:2
Authorization user name	sec_master	The administrative user name for ISAM.
Administrator user password		The password for ISAM.
User registry distinguished name suffix		This field value is the suffix that is set up in the user registry to contain the users and groups for ISAM. For example using IBM Security Directory Server: o=ibm,c=au
Security domain	Default	The configured security domain to use for the embedded ISAM.
Administrator user distinguished name		This field specifies the fully distinguished user name of the primary administrative user for WebSphere Application Server security. For example using IBM Security Directory Server: cn=wasadmin,o=ibm,c=au