Configure TAM to perform authentication only


Overview

Portal runs on IBM WAS, which can use Trust Association Interceptors (TAIs) to provide third-party authentication. WebSphere Portal and WAS support a TAI provided by Tivoli Access Manager. If you use TAM to perform authorization for WebSphere Portal, also use TAM to perform the authentication. Using TAM to perform only authorization is not supported.

This example assumes that HTTP Server is the Web server.

The term pdadmin refers to a command line utility that supports TAM administrative functions.

Perform the validate-pdadmin-connection task on all nodes in the cluster. Perform all other steps on the primary node.


Configure TAM to perform authentication only

  1. Install and configure WebSphere Portal, the database, and the user registry.

  2. Start the TAM policy and authorization servers

  3. Install and configure WebSEAL.

  4. Optional. Create an SSL junction using LTPA authentication on the WebSEAL node:

    1. Open a pdadmin command prompt from any node that has a TAM Runtime component installed.

      This can be done on the TAM Server node, WebSEAL node or the WebSphere Portal node.

    2. Enter the server task... 

      WebSEAL-Instance-webseald-WebSEAL-HostName create 
      -t ssl
      -b filter
      -A
      -F /path/to/keyfile
      -Z LTPA-Password
      -h Target-Host
      -c all /Junction-Name

      .where...

        -A Enable LTPA cookies.
        -F /path/to/keyfile Full path on the WebSEAL server to the key file used to encrypt the shared key originally created on the WAS server and copied securely to the WebSEAL server. Verify that the automatic LTPA Key generation is disabled.
        -Z LTPA-Password Password required to open the key file.

  5. To use an SSL junction, follow the instructions in steps 1-3 of Set up SSL, and then execute...

    1. Use the IBM Key Management utility to load the Web server certificate into the keyring for the appropriate instance of WebSEAL.

    2. Restart WebSEAL.

  6. Enter the following tasks on the pdadmin command line to create the trusted user account:

    One of the underlying TAI security requirements is the trusted user account in the TAM user registry that WAS is configured to use. This is the ID and password that WebSEAL uses to identify itself to WAS.

    To prevent potential vulnerabilities, do not use the sec_master or wpsadmin users for the trusted user account. The trusted user account should be for the TAI only.

      pdadmin> user create webseal_useridwebseal_userid_DNfirstnamesurnamepassword
      pdadmin> user modify webseal_userid account-valid yes

  7. Validate that the AMJRTE properties exists: 

    cd WP_PROFILE/ConfigEngine 
./ConfigEngine.sh validate-pdadmin-connection  \
                  -DWasPassword=foo \
                  -Dwp.ac.impl.PDAdminPwd=foo

      Complete this step on all nodes.

    If the task does not run successfully, run create the AMJRTE properties file...

      run-svrssl-config

    .then run the validate-pdadmin-connection task again. If the task is not successful after a second attempt, do not perform any subsequent steps in this topic. The fact that the task does not run successfully indicates that the portal cannot connect to the TAM server.

  8. On all nodes, edit wkplc_comp.properties and enter the following parameters under the WebSEAL junction parameters heading:

    wp.ac.impl.JunctionType tcp or ssl. Type of junction to be created in TAM.

    wp.ac.impl.JunctionPoint WebSEAL junction point to the WebSphere Portal installation. Must begin with the /.

    wp.ac.impl.WebSealInstance WebSEAL installation used to create the junction.

    wp.ac.impl.TAICreds Beaders inserted by WebSEAL that the TAI uses to identify the request as originating from WebSEAL.

    wp.ac.impl.JunctionHost Backend server host name to supply to the junction create command.

    wp.ac.impl.JunctionPort Backend server port to supply to the junction create command.

  9. Enter only the following parameters in wkplc_comp.properties under the WAS WebSEAL TAI parameters heading:

    wp.ac.impl.hostnames Enter the fully qualified URL for WebSphere Portal.

    wp.ac.impl.ports Port number used to access host machine identified in wp.ac.impl.hostnames.

    wp.ac.impl.loginId Reverse proxy identity used when you create a TCP junction.

    wp.ac.impl.BaUserName Reverse proxy identity used when you create an SSL junction.

    wp.ac.impl.BaPassword Password for the SSL junction reverse proxy ID.

  10. Save the changes to the properties file.

  11. Configure TAI for TAM: 
      cd WP_PROFILE/ConfigEngine
     
./ConfigEngine.sh enable-tam-tai \
                  -DWasPassword=foo \
                  -Dwp.ac.impl.PDAdminPwd=foo

  12. Enable user provisioning, if required.

  13. Stop and restart the appropriate servers to propagate the changes.

  14. If you created a TCP junction in the previous steps, go to the WebSEAL machine and edit...

      the webseald-instance.conf

    .for the appropriate WebSEAL instance. An example is...

      webseald-default.conf

    This sets the basicauth-dummy-passwd value to the password for the ID that WebSEAL uses to identify itself to WAS. This user ID and password were created in an earlier step. Stop and start the WebSEAL server before continuing.

  15. The length of the generated URLs may cause problems if the WebSEAL instance is on the Windows platform. Edit...

      webseald-instance.conf

    .and change the process-root-requests property value to filter to avoid problems with WebSEAL processing.

  16. From the TAM admin command line, import WebSphere Portal users and groups into TAM...

      user import wpsadmin uid=wpsadmin,cn=users,dc=ibm,dc=com
      user modify wpsadmin account-valid yes
      group import wpsadmins cn=wpsadmins,cn=groups,dc=ibm,dc=com


Parent

Configure TAM


Related tasks


Start and stop servers, dmgrs, and node agents
Enable user provisioning


Create the AMJRTE properties file


+

Search Tips   |   Advanced Search