Configure global signon principal mapping

 

Configure global signon principal mapping

To create a new application login that uses the Tivoli Access Manager GSO database to store the login credentials:

  1. Select Security > Global security.

  2. Under Authentication, click JAAS Configuration > Application logins

  3. Click New to create a new JAAS login configuration.

  4. Enter the alias name of the new application login. Click Apply .

  5. Under Additional properties, click JAAS Login Modules link to define the JAAS Login Modules.

  6. Click New and enter the following:

    Module class name: com.tivoli.pdwas.gso.AMPrincipalMapper
    Use Login Module Proxy : enable
    Authentication strategy : REQUIRED Click Apply

  7. In the Additional Properties section, click Custom Properties to define Login Module-specific values which are passed directly to the underlying
    Login Modules.

  8. Click New .

    The Tivoli Access Manager principal mapping module uses the configuration string, authDataAlias, to retrieve the correct user name and password from the security configuration. The authDataAlias passed to the module is configured for the J2C ConnectionFactory. Since the authDataAlias is an arbitrary string entered at configuration time, the following scenarios are possible:

    • The authDataAlias contains both the GSO Resource name and the user name. The format of this string is "Resource/User"

    • The authDataAlias contains only the GSO Resource name. The user name is determined using the Subject of the current session.

    Which scenario to use is determined by a JAAS configuration option. The details of these options are:

    Name : com.tivoli.pd.as.gso.AliasContainsUserName
    Value : True if the alias contains the user name, false if the user name should be retrieved from the security context.

    When entering authDataAliases through the WebSphere Application Server console, the node name is automatically pre-pended to the alias. The JAAS configuration entry is to determine whether this node name should be removed or included as part of the resource name.

    Name : com.tivoli.pd.as.gso.AliasContainsNodeName
    Value : True if the alias contains the node name.

    Enter each new parameter using the following scenario information as a guide.

    Note: If the PdPerm.properties configuration file is not located in the default location, JAVA_HOME/PdPerm.properties, then you will also need to add the following property:

    Name = com.tivoli.pd.as.gso.AMCfgURL
    Value = file:///path to PdPerm.properties

    Scenario 1
    Auth Data Alias - BackendEIS/eisUser
    Resource - BackEndEIS
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 2
    Auth Data Alias - BackendEIS
    Resource - BackEndEIS
    User - Currently authenticated WAS user
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 3
    Auth Data Alias - nodename/BackendEIS/eisUser
    Resource - BackEndEIS
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 4
    Auth Data Alias - nodename/BackendEIS/eisUser
    Resource - nodename/BackEndEIS (notice that node name was not removed)
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 5
    Auth Data Alias - BackendEIS/eisUser
    Resource - BackEndEIS
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 6
    Auth Data Alias - nodename/BackendEIS/eisUser
    Resource - nodename/BackendEIS/eisUser (notice that the Resource is the same as Auth Data Alias).
    User - Currently authenticated WAS user
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    You now need to create the J2C authentication aliases. The user name and password assigned to these alias entries is irrelevant as Tivoli Access Manager is responsible for providing user names and passwords. However, the user name and password assigned to the J2C authentication aliases need to exist so they can be selected for the J2C connection factory in the console.

    To create the J2C authentication aliases, from the WebSphere Application Server administrative console, click Security >Global security. Under JAAS Configuration > J2C Authentication Data and click New for each entry. Refer to the table above for scenario inputs. The connection factories for each resource adapter that needs to use the GSO database must be configured to use the Tivoli Access Manager Principal Mapping module. To do this:

    1. From the WebSphere Application Server console, select Applications > Enterprise Applications > application_name.

    2. Under Related items, click Connector Modules .

    3. Click the .rar link.

    4. Under Additional properties, click Resource Adapter .

      Note: The
      resource adapter does not need to be packaged with the application. It can be standalone. For such a scenario the resource adapter is configured from Resources > Resource Adapters .

    5. Under Additional properties, click J2C Connection Factories .

    6. Click New and enter the connection factory properties.

    Note: Configuring custom mapping on connection factory is deprecated in WebSphere Application Server Version 6. To configure the GSO credential mapping, it is recommended that you use the Map Resource References to Resources panel on the administrative console. For more information, refer to J2EE Connector security.



Related concepts
Global signon principal mapping


Searchable topic ID: tsec_config_gso_mapping