Tivoli Access Manager JACC provider configuration

You can configure the Java Authorization Contract for Containers (JACC) provider for Tivoli Access Manager to deliver authentication and authorization protection for your applications or for authentication only. Most deployments that use the JACC provider for Tivoli Access Manager to configure Tivoli Access Manager provide both authentication and authorization functionality. If you want Tivoli Access Manager to provide authentication, but want to leave authorization as part of WebSphere Application Server native security, add the property, com.tivoli.pd.as.amwas.DisableAddAuthorizationTableEntry=true to the amwas.amjacc.template.properties file that is located in the profile_root/config/cells/cell_name directory, where profile_root is the directory that contains your profile. The default location is /QIBM/UserData/WebSphere/AppServer/V6/Base/profiles or /QIBM/UserData/WebSphere/AppServer/V6/ND/profiles. After this property is set, perform the tasks for setting Tivoli Access Manager Security, as documented.

You can configure the JACC provider for Tivoli Access Manager using either the WebSphere Application Server administrative console or the wsadmin command-line utility.

For details on configuring the JACC provider for Tivoli Access Manager JACC provider using the administration console, refer to Configuring the Configuring the JACC provider for Tivoli Access Manager using the administrative console.
For details on configuring the Tivoli Access Manager JACC provider using the wsadmin command line utility, refer to Configuring the JACC provider for Tivoli Access Manager using the wsadmin utility.

The JACC configuration files for Tivoli Access Manager that are common across multiple WebSphere Application Server profiles are created by default under the java/jre directory. When you install WebSphere Application Server, you are given permissions to read and write to the files in this directory.

[UNIX]
Profiles created by users who are different to the user that installed the application have read-only permissions for this directory.

This situation is not ideal because configuration of the JACC provider for Tivoli Access Manager fails in these situations. To avoid this situation, you can add the following property to the profile_root/config/cells/cell_name /amwas.amjacc.template.properties file: com.tivoli.pd.as.jacc.CommonFileLocation= new location Where new location is a fully qualified directory name.

This property sets the location of the JACC provider for Tivoli Access Manager properties files that are common across profiles.

[iSeries]
For iSeries installations, however, the permissions for this directory cannot be changed. In iSeries (OS/400), all WebSphere Application Server profiles are initially configured with this setting:

  com.tivoli.pd.as.jacc.CommonFileLocation=USER_INSTALL_ROOT/etc/pd

Therefore, Tivoli Access Manager JACC configuration files are not common across multiple WebSphere Application Server profiles. The wsadmin command is available to reconfigure the Tivoli Access Manager Java Authorization Contract for Containers (JACC) Tivoli Access Manager interface:

$AdminTask reconfigureTAM -interactive This command effectively prompts you through the process of unconfiguring the interface and then reconfiguring it.

Searchable topic ID: rsec_config_JACC_interface