External Java Authorization Contract for Containers provider settings
Configure the application server to use an external Java Authorization Contract for Containers (JACC) provider. For example, the policy class name and the policy configuration factory class name are required by the JACC specification.
Use these settings when we have set up an external security provider that supports the JACC specification to work with the application server. The configuration process involves installing and configuring the provider server and configuring the client of the provider in the application server to communicate with the server. If the JACC provider is not enabled, these settings will be ignored.
To view this administrative console page:
- Click Security > Global security.
- Click External authorization providers.
- Under Authorization provider, click External JACC provider.
Use the default settings when we use Security Access Manager as the JACC provider. Install and configure the ISAM server prior to using it with the application server. Use the ISAM properties link under Additional properties, and configure the ISAM client in the application server to use the ISAM server. If we intend to use another provider, modify the settings as appropriate.
Name
Name used to identify the external JACC provider.
This field is required.
Information Value Data type: String
Description
Provides an optional description for the provider.
Information Value Data type: String
Policy class name
Specifies a fully qualified class name that represents the javax.security.jacc.policy.provider property as per the JACC specification. The class represents the provider-specific implementation of the java.security.Policy abstract methods.
The class file for the custom JACC provider must reside in the WAS-INSTALL/lib/ext directory. This enables the application server, node agents, and the deployment manager to operate correctly.
Do not add the JAR file, which contains the class file, to the <WAS_HOME>/lib directory in a product environment as service releases overwrite files in this directory.
This class is used during authorization decisions. The default class name is for ISAM implementation of the policy file.
This field is required. For information on enabling the JACC provider using this field, see the "Enabling the JACC provider for Tivoli Access Manager" topic in the information center.
Information Value Data type: String Default: com.tivoli.pd.as.jacc.TAMPolicy
Policy configuration factory class name
Specifies a fully qualified class name that represents the javax.security.jacc.PolicyConfigurationFactory.provider property as per the JACC specification. The class represents the provider-specific implementation of the javax.security.jacc.PolicyConfigurationFactory abstract methods.
The class file must reside in the class path of each application server process. These processes include the application server, node agents and the deployment manager.
Do not add the JAR file, which contains the class file, to the <WAS_HOME>/lib directory in a product environment as service releases overwrite files in this directory.
This class represents the provider-specific implementation of the PolicyConfigurationFactory abstract class. This class is used to propagate the security policy information to the JACC provider during the installation of the Java EE application. The default class name is for the ISAM implementation of the policy configuration factory class name.
This field is required.
Information Value Data type: String Default: com.tivoli.pd.as.jacc.TAMPolicyConfigurationFactory
Role configuration factory class name
Specifies a fully qualified class name that implements the com.ibm.wsspi.security.authorization.RoleConfigurationFactory interface.
The class file must reside in the class path of each application server process. These processes include the application server, node agents and the deployment manager.
Do not add the JAR file, which contains the class file, to the <WAS_HOME>/lib directory in a product environment as service releases overwrite files in this directory.
When we implement this class, the authorization table information in the binding file is propagated to the provider during the installation of the Java EE application. The default class name is for the Tivoli Access Manager implementation of the role configuration factory class name.
This field is optional. For information on enabling the JACC provider using this field, see the "Enabling the JACC provider for Tivoli Access Manager" topic in the information center.
Information Value Data type: String Default: com.tivoli.pd.as.jacc.TAMRoleConfigurationFactory
Provider initialization class name
Specifies a fully qualified class name that implements the com.ibm.wsspi.security.authorization.InitializeJACCProvider interface.
The class file must reside in the class path of each application server process. These processes include the application server, node agents and the deployment manager.
Do not add the JAR file, which contains the class file, to the <WAS_HOME>/lib directory in a product environment as service releases overwrite files in this directory.
When implemented, this class is called at the start and the stop of all the application server processes. Use this class for any required initialization needed by the provider client code to communicate with the provider server. The properties that are entered in the custom properties link are passed to the provider when the process starts up. The default class name is for the Tivoli Access Manager implementation of the provider initialization class name.
This field is optional. For information on enabling the JACC provider using this field, see the "Enabling the JACC provider for Tivoli Access Manager" topic in the information center.
Information Value Data type: String Default: com.tivoli.pd.as.jacc.cfg.TAMConfigInitialize
Requires the EJB arguments policy context handler for access decisions
Specifies whether the JACC provider requires the EJBArgumentsPolicyContextHandler handler to make access decisions.
Because this option has an impact on performance, do not set it unless it is required by the provider. Normally, this handler is required only when the provider supports instance-based authorization. Tivoli Access Manager does not support this option for Java EE applications.
Information Value Default: Disabled
Supports dynamic module updates
Specifies whether we can apply changes made to security policies of web modules in a running application, dynamically without affecting the rest of the application.
If this option is enabled, the security policies of the added or modified web modules are propagated to the JACC provider and only the affected web modules are started.
If this option is disabled, then the security policies of the entire application are propagated to the JACC provider for any module-level changes. The entire application is restarted for the changes to take effect.
Typically, this option is enabled for an external JACC provider.
Information Value Default: Enabled
Custom properties
Properties required by the provider.
These properties are propagated to the provider during the startup process when the provider initialization class name is initialized. If the provider does not implement the provider initialization class name as described previously, the properties are not used.
The ISAM implementation does not require that you enter any properties in this link.
ISAM properties
Specifies properties required by the ISAM implementation.
These properties are used to set up the communication between the application server and the ISAM server. We must install and configure the ISAM server before entering these properties.
Use the built-in authorization provider Authorizing access to Java EE resources using ISAM External authorization provider settings JSR 115: Java Authorization Contract for Containers