Set access controls for the proxy

Access control lists (ACLs) cannot be managed from the Security Directory Server proxy server. When a proxy server is used, it is the back-end server that enforces access control. The LDAP administrator must ensure the proper ACLs are created on each of the back-end servers if the ACLs exist on the top-level object of the partition split point.

Security Verify Access must have proper access control to allow it to manage users and groups within the suffixes where user and group definitions are maintained. To set the necessary ACLs on the back-end servers to allow Security Verify Access to manage the partition suffixes, use the ISAM ivrgy_tool utility with the add-acls parameter.

Steps

1. Run the ivrgy_tool utility from any system where the ISAM Runtime component is installed. For example, the system where the policy server is installed.

2. To apply the proper ACLs on each of the back-end servers, run the following command:

   ivrgy_tool -h backend_host -p backend_port -D ldap_admin_DN \
   -w ldap_admin_pwd -d [-Z] [-K ssl_keyfile] [-P ssl_keyfile_pwd] \
   [-N label] add-acls domain

   For information about the ivrgy_tool utility, see the Reference topics in the IBM Knowledge Center.

The policy server is the only Security Verify Access component that must be retargeted to the Security Directory Server proxy server as described in Security Verify Access configuration with the proxy. Other Security Verify Access components, such as the authorization server or WebSEAL, do not need to be retargeted.

After the policy server is configured, other ISAM components can be configured normally.

When configuring Security Verify Access Runtime for other components, the Security Directory Server proxy server host name and port must be specified for the LDAP host name. It is not necessary to indicate any of the back-end servers.

Parent topic: Security Verify Access configuration with the proxy