Configure the Credential Vault adapter for Security Access Manager

Use IBM Security Verify Access in the HCL WebSphere Portal Credential Vault service. HCL WebSphere Portal includes a vault adapter to access the Security Access Manager Global Sign-on (GSO) lockbox. Any existing Tivoli resource or resource credentials can be used in the portlets that access the credential vault service without any additional configuration. In addition, the credential vault service and credential vault management portlet can create or update an existing GSO lockbox entry.

Users who are storing credentials in the accessmanagervault.properties file must be defined in Security Access Manager as global signon (GSO) users.

Clustered note: In a clustered environment, complete steps 1 and 2 on each node. The WasPassword value is the dmgr administrative password.

1. Validate PdPerm.properties is correct and that communication between HCL WebSphere Portal and the Security Access Manager server works:

   Run the validate-pdadmin-connection task on the HCL WebSphere Portal node or on each node in a clustered environment. In a clustered environment, WasPassword is the dmgr administrator password. The wp.ac.impl.PDAdminPwd is the Security Access Manager administrative user password.

   cd WP_PROFILE/ConfigEngine
   ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo

   If the task does not run successfully: Run the run-svrssl-config task to create the properties file. For information, refer to Creating PdPerm.properties. Then, run the validate-pdadmin-connection task again. If the task is not successful after a second attempt, do not proceed with any subsequent steps. The fact the task does not run successfully indicates the portal cannot connect to the Security Access Manager server. Troubleshoot the connectivity issue between the portal instance and the Security Access Manager server.

2. Create and populate the WP_PROFILE/PortalServer/config/config/accessmanagervault.properties file:
   ./ConfigEngine.sh enable-tam-vault -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo

3. Set the value for the systemcred.dn property:

   The systemcred.dn property defines the distinguished name of the vault administrative user. All system credentials are stored under the user account. For Security Access Manager, this user must be an existing Security Access Manager user. The Security Access Manager adapter checks if the user exists in Security Access Manager before the slots are accessed.

   1. Log on to the WAS admin console and go to...
      Resources | Resource Environment | Resource Environment Providers | WP CredentialVaultService | Additional Properties | Custom properties

   2. Edit the systemcred.dn property. Set the value to an existing Security Access Manager user.

4. Stop and restart the appropriate servers to propagate the changes.

5. Create a Credential Vault segment and slot to be used by Security Access Manager:

   1. From the Portal-integrated console, click the Administration menu icon in the toolbar. Then, click Access > Credential Vault and click Add a vault segment.

   2. Select the AccessManager vault from the Vaults list, by default it is named AccessManager.

   3. Enter a Vault segment name and click OK.

   4. Click Add a vault slot.

   5. Select the AccessManager vault from the Vault menu.

   6. Enter a Name for the vault slot and click OK.

6. Optional: Use the WAS encoding mechanism to mask the passwords in the accessmanagervault.properties file and the Security Access Manager administrative password in the pdpw property.

Parent Configure IBM Security Verify Access

Related tasks:

Create PdPerm.properties

Related information

Encoding passwords in files