Configure Security Access Manager to perform authorization

Configure Security Access Manager to perform authorization

Configure IBM Security Verify Access (ISAM) to perform authorization as an independent task from configuring ISAM to perform authentication, but configure both tasks. Using ISAM to perform only authorization is not supported. Complete the steps in Configure ISAM to perform authentication only before configuring ISAM to perform authorization.
There are additional considerations when setting up security to use an external security manager in a cluster environment and across mixed nodes. Complete any configuration for an ESM after completing all other configuration tasks, including ensuring that the cluster is functional.
After completing the following authorization procedure, the ISAM protected object space will contain entries for roles in the following format:

PDRoot/Portal_Role@Portal_Resource[/EACappname/EACserverName/EACcellName]

For example:
/WP95/Administrator@VIRTUAL_EXTERNAL_ACCESS_CONTROL[/wps/WebSphere_Portal/Cell01

If the reorderRoles property is set to true, the the role resource displays as...
Portal_Resource@Role
For example:
VIRTUAL_EXTERNAL_ACCESS_CONTROL@Administrator.

Configure ISAM to perform authorization

Validate that the AMJRTE properties exists:
./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo

Clustered environments:

Complete this step on all nodes.
WasPassword is the dmgr administrative password.

If the task does not run successfully: Run run-svrssl-config to create the properties file, see Create the AMJRTE properties file, then run validate-pdadmin-connection again. If the task is not successful after a second attempt, do not perform any subsequent steps in this topic. The face that the task does not run successfully indicates that the portal cannot connect to the ISAM server.

Enter only the following parameters in wkplc_comp.properties under the Namespace management parameters heading:

Parameter Description Example
wp.ac.impl.EACserverName Namespace context WebSphere_Portal
wp.ac.impl.EACcellName Namespace context Cell01
wp.ac.impl.EACappname Namespace context wps
wp.ac.impl.reorderRoles Role order. Set false to order by resource type last. Set true to order by resource type first. false

Set all three of the EACserverName, EACcellName, and EACappname properties; otherwise, they are not included in the object space entries.
In a cluster the parameters must match on all nodes.

Set only the following parameters in wkplc_comp.properties under the Portal authorization parameters heading:

Parameter Description Example
wp.ac.impl.PDRoot Root objectspace entry in the ISAM namespace. All Portal roles will be installed under this objectspace entry. /WPv95
wp.ac.impl.PDAction Custom action created by the ISAM external authorization plug-in. The combination of the action group and the action determines the ISAM permission string required to assign membership to externalized portal roles. When the ISAM external authorization plugin is started, it will detect and, if necessary, create a custom action in ISAM. For ISAM with multiple profiles, choose a unique name for each root objectspace entry to easily distinguish one entry from another profile entry. m
wp.ac.impl.PDActionGroup Custom action group created by the ISAM external authorization plug-in. The combination of the action group and the action determines the ISAM permission string required to assign membership to externalized portal roles. When the ISAM external authorization plugin is started, it will detect and, if necessary, create a custom action group in ISAM. WPS95
wp.ac.impl.PDCreateAcl Set true to automatically create and attach a ISAM ACL when portal externalizes a role. Set false to not create and attach a ISAM ACL when portal externalizes a role. true

In a cluster the parameters must match on all nodes.

Save changes to the properties file.

Run the following enable ISAM authorization task:
./ConfigEngine.sh enable-tam-authorization -DWasPassword=foo from the WP_PROFILE/ConfigEngine

Clustered environments:

Complete this step on all nodes.
WasPassword is the dmgr administrative password.

If the task does not run successfully: Ensure the values in wkplc_comp.properties are valid.

Stop and restart servers, dmgrs, and node agents.

Parent: Configure ISAM for non-z/OS operating systems
Related:
Start and stop servers, dmgrs, and node agents
Create the AMJRTE properties file

Parameter	Description	Example
wp.ac.impl.EACserverName	Namespace context	WebSphere_Portal
wp.ac.impl.EACcellName	Namespace context	Cell01
wp.ac.impl.EACappname	Namespace context	wps
wp.ac.impl.reorderRoles	Role order. Set false to order by resource type last. Set true to order by resource type first.	false

Parameter	Description	Example
wp.ac.impl.PDRoot	Root objectspace entry in the ISAM namespace. All Portal roles will be installed under this objectspace entry.	/WPv95
wp.ac.impl.PDAction	Custom action created by the ISAM external authorization plug-in. The combination of the action group and the action determines the ISAM permission string required to assign membership to externalized portal roles. When the ISAM external authorization plugin is started, it will detect and, if necessary, create a custom action in ISAM. For ISAM with multiple profiles, choose a unique name for each root objectspace entry to easily distinguish one entry from another profile entry.	m
wp.ac.impl.PDActionGroup	Custom action group created by the ISAM external authorization plug-in. The combination of the action group and the action determines the ISAM permission string required to assign membership to externalized portal roles. When the ISAM external authorization plugin is started, it will detect and, if necessary, create a custom action group in ISAM.	WPS95
wp.ac.impl.PDCreateAcl	Set true to automatically create and attach a ISAM ACL when portal externalizes a role. Set false to not create and attach a ISAM ACL when portal externalizes a role.	true