External Access Control Service
The portal External Access Control Service collects authorization data from external security managers, such as CA eTrust SiteMinder or IBM Security Verify Access. In the WAS console, the portal External Access Control Service is listed as WP ExternalAccessControlService. In the portal External Access Control Service, we can modify the configuration properties listed in the following. However, plan well ahead and apply special care when modifying.
These entries are optional, and not required for integration with external security provider.
Property Default Description externalaccesscontrol.ready false If true, configuration in this file connects to the External Security Manager. externalaccesscontrol.server WebSphere_Portal
externalaccesscontrol.application WPS externalaccesscontrol.cell cell Role name representations are qualified with a context built by these properties. For example...
Administrator@External_Access_Control/xxx/xxx
...is represented as follows...
- Security Access Manager: Protected object space entry
/WPSv6/Administrator@External_Access_Control/xxx/xxx/WPS/WebSphere_Portal/cell
- eTrust SiteMinder: Resource/subrealms under Domain:
/cell/WebSphere_Portal/WPS/Administrator@External_Access_Control/xxx/xxx
Access Manager configuration
Use the following properties to configure the connection between HCL WebSphere Portal and the ISAM.
Property Default Description externalaccesscontrol.pdroot /WPSv6 After completing the AMJRTE and SrvSslCfg ConfigEngine tasks, the following directives are required to allow HCL WebSphere Portal to use Security Access Manager as an External Security Manager. Provide the root of your Protected Object Space for Portal Server entries. externalaccesscontrol.pduser sec_master
externalaccesscontrol.pdpw passw0rd Provide an administrative user ID and password with adequate rights in Tivoli to create, delete, modify the objects in the Protected Object Space. To mask the password.
cd APPSERVER_ROOT/bin/
./PropFilePasswordEncoder WP_PROFILE/PortalServer/properties/ExternalAccessControlService.properties externalaccesscontrol.pdpwThis utility also removes commented lines, so make a back up copy before running
externalaccesscontrol.pdurl file:///${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties Specify the URL location of the Access Manager properties file for AMJRTE. This URL must be in the format file:///directory_path_to_properties_file. HTTP URLs are not supported. externalaccesscontrol.createAcl true
true A ISAM ACL will be created for every HCL WebSphere Portal resource. Default. false No ACLs will be created for portal objects. The Access Manager administrator is responsible for all ACL linkages between Access Manager and HCL WebSphere Portal. externalaccesscontrol.pdactiongroup [WPS] externalaccesscontrol.pdAction m Specify the action group and the customized actions to map to portal role membership. If these items do not exist, they will be created at startup. The values previously given are the default values. Optional.
CA eTrust SiteMinder policy server information
Use the following properties to configure the connection between HCL WebSphere Portal and the Policy Server.
Property Default Description externalaccesscontrol.domainname HCL WebSphere Portal V 8 Domain name to be created in the eTrust SiteMinder administrative GUI. All realms and sub-realms will be created under this domain. This domain will be created when starting HCL WebSphere Portal. externalaccesscontrol.scheme (Basic) Scheme to be associated with the realms. Define this scheme in eTrust SiteMinder before starting HCL WebSphere Portal. The default value is Basic. externalaccesscontrol.agentname wpsagent
externalaccesscontrol.agentsecret passw0rd Agent name and secret to establish a run time connection with eTrust SiteMinder. The agent should be a web agent with a static shared secret, so that Web Agents later than Version 4.6 of WebAgents should enable the property supports 4.x agents on the eTrust SiteMinder web agent. Use the WAS PropFilePasswordEncoder utility to mask the password.
APPSERVER_ROOT/bin/PropFilePasswordEncoder WP_PROFILE/PortalServer/config/properties/ExternalAccessControlService.properties externalaccesscontrol.agentsecret
This utility also removes commented lines, so make a back up copy before running
externalaccesscontrol.admin siteminder
externalaccesscontrol.password passw0rd Administrative user ID and password for a user who can create, delete, and modify eTrust SiteMinder objects used to represent HCL WebSphere Portal roles. This user ID must have sufficient access to domain level objects in eTrust SiteMinder. To mask the password.
cd APPSERVER_ROOT/bin/
./PropFilePasswordEncoder WP_PROFILE/PortalServer/properties/ExternalAccessControlService.properties externalaccesscontrol.passwordThis utility also removes commented lines, so make a back up copy before running
externalaccesscontrol.userdir
User Directory associated with the domain. We configure the failover for user directories in the eTrust SiteMinder administrative GUI. The user directory must exist before starting HCL WebSphere Portal. externalaccesscontrol.failOver false Whether the ESM subsystem should switch to another Policy Server if it cannot contact the current one. Possible values are true and false. We can specify this property as either externalaccesscontrol.failOver or as externalaccesscontrol.failover . If we specify multiple Policy Server addresses on the servers property, and this property is set to false, the Computer Associate's Agent API will follow round-robin load balancing, by distributing or spraying requests between the configured Policy Servers. This may be appropriate for a TAI which is only doing read operations from the Policy Server(s), but not for write operations . If we have multiple servers defined in the externalaccesscontrol.servers property, set failOver to true . externalaccesscontrol.servers server1,server2, . . . IP addresses of all the Policy Servers. Multiple addresses need to separated by commas. For example: servers=10.0.0.1,10.0.0.2. If multiple are servers are defined set the failOver true. For each server define:
accountingPort 44441 Accounting port for the Policy Server. authenticationPort 44442 Authentication port for the Policy Server. authorizationPort 44443 Authorization port for the Policy Server. connectionMax 10 Maximum number of connections which the authorization service may make to this Policy Server. connectionMin 1 Initial number of connections which the authorization service will establish with this Policy Server. connectionStep 1 Number of connections that are to be allocated if the authorization service runs out of connections to the Policy Server. timeout 20 Connection timeout in seconds.