Configure Tivoli Access Manager to perform authentication only
WebSphere Portal runs on IBM WAS, which can use Trust Association Interceptors (TAIs) to provide third-party authentication. WebSphere Portal and WAS support a TAI that is provided by Tivoli. If you use Tivoli Access Manager to perform authorization for WebSphere Portal, also use Tivoli Access Manager to perform the authentication. Using Tivoli Access Manager to perform only authorization is not supported.
To configure Tivoli Access Manager to perform authentication only:Notes:
- This procedure requires that you be familiar with WebSEAL administration concepts as presented in the WebSEAL Administrator's Guide. These are not the only options available for configuring WebSEAL with WAS.
For complete descriptions of all the options, refer to the Tivoli Access Manager and WAS documentation.
- This example assumes that HTTP Server is the Web server.
- The term pdadmin refers to a command line utility that supports Tivoli Access Manager administrative functions.
In a clustered environment, you only need to perform these steps on one node in the cluster.
- Configure WebSphere Portal, your database, and the user registry.
- Start the Tivoli Access Manager policy and authorization servers, which are required for successful configuration and for single sign on (SSO) to occur.
- Configure WebSEAL. Refer to the WebSEAL Installation Guide for more information.
- Optional: To create an SSL junction using LTPA authentication on the WebSEAL node:
- Open a pdadmin command prompt from any node that has a Tivoli Access Manager Runtime component installed. This can be done on the Tivoli Access Manager Server node, WebSEAL node or the WebSphere Portal node.
- Enter the server task WebSEAL-Instance-webseald-WebSEAL-HostName create -t ssl -b filter -A -F LTPA-Keys-Path -Z LTPA-Password -h Target-Host -c all /Junction-Name command on one line.
- The -A enables LTPA cookies.
- The -F key file option and argument specifies the full path name location on the WebSEAL server of the key file used to encrypt the shared key that is originally created on the WAS server and copied securely to the WebSEAL server. Refer to the WAS product documentation for specific details regarding exporting the LTPA key. Verify that the automatic LTPA Key generation is disabled.
- The -Z keyfile-password option and argument specifies the password required to open the key file.
- Optional: If you plan to use an SSL junction, follow the instructions in steps 1-3 of Set up SSL.
- Optional: Perform the following steps if you plan to use an SSL junction:
- Use the IBM Key Management utility to load the Web server certificate into the keyring for the appropriate instance of WebSEAL. See the HTTP Server documentation for more details.
- Restart WebSEAL.
- Enter the following tasks on the pdadmin command line to create the trusted user account: One of the underlying TAI security requirements is the trusted user account in the Tivoli Access Manager user registry that WAS is configured to use. This is the ID and password that WebSEAL uses to identify itself to WAS.
To prevent potential vulnerabilities, do not use the sec_master or wpsadmin users for the trusted user account. The trusted user account should be for the TAI only.
- pdadmin> user create webseal_useridwebseal_userid_DNfirstnamesurnamepassword
- pdadmin> user modify webseal_userid account-valid yes
- Run...
following validation
to validate that the AMJRTE properties exists:
Option Description Windows ConfigEngine.bat validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the profile_root/ConfigEngine directory UNIX ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the profile_root/ConfigEngine directory i5/OS ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDdAdminPwd=password from the profile_root/ConfigEngine directory.
If this task fails, run the run-svrssl-config task to create the properties file; see "Creating the AMJRTE properties file" for information about running this task. Please attempt the validate-pdadmin-connection task again. If this task still fails, do not proceed any further. It indicates that portal can not connect to the TAM server and subsequent tasks will fail.
- Edit the wkplc_comp.properties file:
Option Description Windows located in the profile_root/ConfigEngine\properties directory UNIX located in the profile_root/ConfigEngine/properties directory i5/OS located in the profile_root/ConfigEngine/properties directory
- Enter only the following parameters in the wkplc_comp.properties file under the WebSEAL junction parameters heading:
- For wp.ac.impl.JunctionType, type tcp or ssl to define the type of junction to be created in Tivoli Access Manager.
- For wp.ac.impl.JunctionPoint, type the WebSEAL junction point to the WebSphere Portal installation.
This parameter must begin with the / character.
- For wp.ac.impl.WebSealInstance, type the WebSEAL installation used to create the junction.
- For wp.ac.impl.TAICreds, type the headers inserted by WebSEAL that the TAI uses to identify the request as originating from WebSEAL.
- For wp.ac.impl.JunctionHost, type the backend server host name to supply to the junction create command.
- For wp.ac.impl.JunctionPort, type the backend server port to supply to the junction create command.
- Enter only the following parameters in the wkplc_comp.properties file under the WAS WebSEAL TAI parameters heading:
- For wp.ac.impl.hostnames, enter the fully qualified URL for WebSphere Portal.
- For wp.ac.impl.ports, enter the port number used to access the host machine identified in wp.ac.impl.hostnames.
- For wp.ac.impl.loginId, enter the reverse proxy identity used when you create a TCP junction.
- For wp.ac.impl.BaUserName, enter the reverse proxy identity used when you create an SSL junction.
- For wp.ac.impl.BaPassword, enter the password for the SSL junction reverse proxy ID.
- Save changes to the wkplc_comp.properties file.
- Run...
following
to configure TAI for Tivoli Access Manager:
Option Description Windows ConfigEngine.bat enable-tam-tai -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the profile_root/ConfigEngine directory. UNIX ./ConfigEngine.sh enable-tam-tai -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the profile_root/ConfigEngine directory. i5/OS ConfigEngine.sh enable-tam-tai -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the profile_root/ConfigEngine directory.
If this is a clustered environment, WasPassword is the Deployment Manager administrative password.
- Restart all required servers to propagate changes.
- If created a TCP junction in the previous step, go to the WebSEAL machine and edit the webseald-instance.conf file for the appropriate WebSEAL instance. An example is webseald-default.conf.
This sets the basicauth-dummy-passwd value to the password for the ID that WebSEAL uses to identify itself to WAS.
This user ID and password were created in an earlier step. Stop and start the WebSEAL server before continuing.
- The length of the generated URLs may cause problems if your WebSEAL instance is on the Windows platform. Edit the webseald-instance.conf file and change the process-root-requests property value to filter to avoid problems with WebSEAL processing.
- Import WebSphere Portal users and groups into Tivoli Access Manager by entering the following commands on the Tivoli Access Manager administrative command line, where wpsadmin is the user ID for the administrator, and wpsadmins is the administrators group name. The fully distinguished names of these user and group IDs will vary depending on your LDAP settings.
user import wpsadmin uid=wpsadmin,cn=users,dc=ibm,dc=com user modify wpsadmin account-valid yes group import wpsadmins cn=wpsadmins,cn=groups,dc=ibm,dc=com
Parent topic:
Configure Tivoli Access Manager
Related tasks
Creating the AMJRTE properties file