Use external security managers in a cluster
Overview
Configure external security managers after completing all other setup, including ensuring that the WebSphere Portal cluster is functional and verifying systems requirement.
When setting up security in a cluster to use an external security manager, review and, if required, perform the security configuration on each node in the cluster...
If you make any changes to the external security manager configuration after initially setting it up, first make the changes in the wkplc_comp.propreties on the primary node of the cluster. If additional nodes exist in the cluster, ensure that any changes you make to wkplc_comp.properties on the primary node are propagated to other nodes in the cluster.
Run the validate-pdadmin-connection task on each node in the cluster. If it fails, run run-svrssl-config before attempting to run validate-pdadmin-connection again.
Note that the parameter...
wp.acc.impl.PDServerName
.in wkplc_comp.properties represents an individual configured AMJRTE connection to TAM, and each node in the cluster must have a unique value before running run-svrssl-config.
If you are using an external Web server, additional configuration is required before running any task to configure an external security manager with a WebSphere Portal cluster. Edit wkplc_comp.properties on each node, and ensure that the values for properties...
.are set to the backend server host name and port number you are using for Web server.
Ensure that the WebSEAL Trust Association Interceptor (TAI) parameters, found in wkplc_comp.properties, are the same on each node in the cluster. If you run a configuration task at a later time that overwrites the WebSEAL junction, the WAS TAI properties are not automatically updated, so manually ensure that all nodes are using the same parameters. To manually ensure the nodes are the same, use the Deployment Manager administrative console and navigate to...
Security | Global security | Web and SIP Security | Trust Association | Interceptors | com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus | Custom properties
Enter the file location specified by the wp.ac.impl.PDPermPath parameter in wkplc_comp.properties. This property indicates the location of the TAM AMJRTE properties file (PdPerm.properties). In a cluster composed of nodes with different OSs, the location of the PdPerm.properties file might differ, depending on the node.
This value can be set globally for all cluster members by using the com.ibm.websphere.security.webseal.configURL property, accessed in the Deployment Manager administrative console by clicking...
Security | Global security | Web and SIP Security | Trust Association | Interceptors | com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus | Custom properties
Because the Deployment Manager security configuration is not sensitive to each node's filesystem type, the value for the configURL property must be resolved on each node as specified in the administrative console.
To ensure that the location of the PdPerm.properties file is properly specified, use one of the following approaches:
- If nodes are all on UNIX platforms, use the UNIX link command (ln) to ensure the value for...
0.om.ibm.websphere.security.webseal.configURL
.resolves on each node.
- If the PdPerm.properties file location differs on each node and cluster consists of different platforms, this property can accept a WAS variable to establish a location on each node's filesystem to correctly reference the file.
eTrust SiteMinder cluster considerations
Ensure that you have installed and validated the eTrust SiteMinder binaries on each node in the cluster.If you are only using eTrust SiteMinder for authentication, install and validate the Application Server Agent.
If you are using eTrust SiteMinder for authentication and authorization, both the Application Server Agent and the SDK must be installed and validated.
Parent
Cluster considerations