Configure a WebSEAL instance
Use the isamcfg tool to configure WebSEAL as a point of contact and policy enforcement point for an appliance that has Advanced Access Control (AAC) activated. Make sure that our WebSEAL server is listening for connections on the appropriate IP addresses and port numbers. We can control the IP address and port number using the WebSEAL configuration file. The IP address is controlled by the [server] network-interface configuration option, and the port numbers are controlled by the [server] https-port and [server] http-port options. To use the isamcfg tool, we must:
- Obtain an IBM JRE, version 8.0 or later supported by the version of PDJrte installed.
- Ensure the Java Runtime used to start the isamcfg tool is configured into the ISAM domain in full mode that uses the PDJRTE. An error is displayed if this condition is not met.
- Ensure the isamcfg tool is able to access the application interface for AAC.
- Run the command from the appliance that hosts the reverse proxy instance, if the instance is a restricted node in a cluster. Use the command-line interface to run the command.
For IBM Security Verify Access WebSEAL, version 7.0 or later, we must also meet the following conditions:
- Configure the com.ibm.security.cmskeystore.CMSProvider in the java.security file, which is in $JAVA_HOME/lib/security, of the IBM JRE. The isamcfg tool uses the ikeycmd command to manipulate key database files. This requires the JRE to have the CMS provider configured in the java.security file.
- Ensure the ikeycmd tool in the $JAVA_HOME/bin is on the system path.
For Tivoli Access Manager for e-business WebSEAL versions 6.1.1 or prior
- Ensure that gsk7ikm tool is on the system path.
The following procedure connects the WebSEAL software version 7.* to ISAM. This procedure is not intended for deployments that have an ISAM appliance with the WebSEAL function. Run the tool on the same system where WebSEAL is located.
- Download the isamcfg.jar from the ISAM appliance with Advanced Access Control.
- On the WebSEAL machine, set up a JAVA_HOME environment variable for the JRE: For example:
export JAVA_HOME=/opt/ibm/java-x86_64-60/jre
...or...
export JAVA_HOME=/opt/IBM/WebSphere/AppServer/java/jre
- Add $JAVA_HOME/bin to the path export PATH=$JAVA_HOME/bin:$PATH.
- From the command line, type:
java -jar isamcfg.jar -action config -cfgfile /path/to/webseald.conf
- Use the isamcfg tool to complete the configuration.
After completing the configuration, a summary screen displays indicating the configuration is complete.
See also: iKeyman User's Guide for version 8
Parent topic: Use the isamcfg tool