Configure Tivoli Access Manager to perform authentication only

IBM WebSphere Portal runs on IBM WAS, which can use Trust Association Interceptors (TAIs) to provide third-party authentication. WebSphere Portal and WAS support a TAI that is provided by Tivoli. If we use Tivoli Access Manager to perform authorization for WebSphere Portal, also use TAM to perform the authentication. Using TAM to perform only authorization is not supported.

To configure TAM to perform authentication only:

• Review the WebSEAL Administrator's Guide.
• This example assumes that HTTP Server is the web server.
• The term pdadmin refers to a command-line utility that supports TAM administrative functions.

For clustered environments, complete validate-pdadmin-connection on all nodes in the cluster. For all other steps, complete on primary node only.

Configure TAM to perform authentication only

1. Install and configure WebSphere Portal, the database, and the user registry.

2. Start the TAM policy and authorization servers.

3. Install and configure WebSEAL.

4. Optional: Create an SSL junction using LTPA authentication on the WebSEAL node:

   1. Open a pdadmin command prompt from any node that has a TAM run time component installed, including TAM Server node, WebSEAL node, or the node, and run...
      server task WebSEAL-instance_name -webseald-WebSEAL-HostName virtualhost create -t type -h hostname [options] vhost-label

      ...where...

      vhost-label	Virtual host label. Name for the virtual host junction. Always mounted at the root of the WebSEAL object space (Web Portal Manager). Use this junction label when running pdadmin. The label must be unique within each instance of WebSEAL. Because the label represents virtual host junctions in the protected object space, the label name must not contain the forward slash character (/).
      -t type	Defines whether the junction is encrypted (-t ssl) or not encrypted (-t tcp). Required.
      -h hostname	Back end server to which the junction connects. In most situations, host name is the HTTP server that sits in front of WebSphere Portal. Required
      -p port	Port number for the back end server to which the junction connects. If not specified, the default value is 80 for HTTP or 443 for HTTPS.
      -v vhost_name[:port]	Virtual host name and port number that defines the junction. WebSEAL maps incoming requests to this host name and port to this junction. If not specified, the values default to the -h hostname and -p port values.
      -c credential-generation	Generate the credential information.
      -A	Enable LTPA cookies
      -F key file	Full path name location on the WebSEAL server of the key file used to encrypt the shared key that is originally created on the WAS server and copied securely to the WebSEAL server. Verify the automatic LTPA Key generation is disabled.
      -Z keyfile-password	Password required to open the key file.

5. To use an SSL junction, see the related links and follow the instructions in steps 1 through 3 of the topic about setting up SSL.

6. To use the Web application bridge integration feature, use an SSL junction:

   1. Use the IBM Key Management utility to load the web server certificate into the keyring for the appropriate instance of WebSEAL.

   2. Restart WebSEAL.

7. Create the trusted user account:

   The trusted user account in the TAM user registry must be the same as the one WAS is configured to use. .

   To prevent potential vulnerabilities, do not use the sec_master or wpsadmin users for the trusted user account. The trusted user account must be for the TAI only.

   1. pdadmin> user create webseal_useridwebseal_userid_DNfirstnamesurnamepassword
      

   2. pdadmin> user modify webseal_userid account-valid yes
      

8. Validate that the AMJRTE properties exists:
   ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo

   Clustered environments:

   • Complete this step on all nodes.
   • WasPassword is the dmgr administrative password.

   If the task does not run successfully: Run run-svrssl-config to create the properties file, see Create the AMJRTE properties file, then run validate-pdadmin-connection again. If the task is not successful after a second attempt, do not perform any subsequent steps in this topic. The face that the task does not run successfully indicates that the portal cannot connect to the TAM server.

9. Edit wkplc_comp.properties
   WP_PROFILE/ConfigEngine/properties

   Clustered environments: Complete this step on all nodes.

10. Enter the following parameter in wkplc_comp.properties under the WebSEAL junction parameters heading:

    Cluster note: The following parameters must match on all nodes in the clustered environment.

    1. For wp.ac.impl.TAICreds, type the headers inserted by WebSEAthat the TAI uses to identify the request as originating from WebSEAL.

    Clustered environments: Complete this step on all nodes.

11. Enter only the following parameters in wkplc_comp.properties under the WAS WebSEAL TAI parameters heading:

    1. For wp.ac.impl.hostnames, enter the fully qualified URL for WebSphere Portal.

    2. For wp.ac.impl.ports, enter the port number used to access the host machine identified in wp.ac.impl.hostnames.

    3. For wp.ac.impl.loginId, enter the reverse proxy identity used when created a TCP junction.

    4. For wp.ac.impl.BaUserName, enter the reverse proxy identity used when created an SSL junction.

    5. For wp.ac.impl.BaPassword, enter the password for the SSL junction reverse proxy ID.

12. Save your changes to the properties file.
    

13. The new recommended TAI implementation version is only available as a download and needs to be added to the system.

    See the related links section to download the Extended TAM Trust Association Interceptor Plus (ETAI) and add the binaries to the environment. WAS deprecated the TAI implementation that is available with WebSphere Portal. If use the deprecated TAI implementation:

    1. Open wkplc_comp.properties.

    2. Add the TAMTAIName parameter to the WAS WebSEAL TAI section.

    3. Enter com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus as the value.

14. Configure TAI for TAM:
    ./ConfigEngine.sh enable-tam-tai -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo from the WP_PROFILE/ConfigEngine

    Clustered environments: WasPassword is the dmgr administrative password.

15. Optional: Enable user provisioning, if required.

16. If we are using TAM in a stand-alone environment that does not include a Web server:

    1. Log on to the WAS admin console and go to...
       Servers > Server Types > Web appservers > WebSphere_Portal > Web container settings > Web Container > Additional Properties > Custom properties

    2. Click New and add the com.ibm.ws.webcontainer.extracthostheaderport custom property with a value of true.

    3. Click OK.

    4. Click New and add the trusthostheaderport custom property with a value of true.

    5. Click OK.

    6. Click Save to save the changes.

    7. Log out of the WAS admin console.

17. Stop and restart servers, dmgrs, and node agents.

18. If you created a TCP junction in the previous steps, go to the WebSEAL machine and edit the webseald-instance.conf file for the appropriate WebSEAL instance. An example is webseald-default.conf. This sets the basicauth-dummy-passwd value to the password for the Ithat WebSEAL uses to identify itself to WAS. This user ID and password were created in an earlier step. Stop and start the WebSEAL server before continuing.

19. The length of the generated URLs might cause problems if the WebSEAL instance is on the Windows platform. Edit the webseald-instance.conf file and change the process-root-requests property value to filter to avoid problems with WebSEAL processing.

20. Import WebSphere Portal users and groups into TAM.

    Enter the following commands on the TAM administrative command line, where wpsadmin is the user ID for the administrator, and wpsadmins is the administrators group name. The fully distinguished names of these user and group IDs vary depending on the LDAP settings.

    user import wpsadmin uid=wpsadmin,cn=users,dc=ibm,dc=com
    user modify wpsadmin account-valid yes
    group import wpsadmins cn=wpsadmins,cn=groups,dc=ibm,dc=com

21. Some functions of WebSphere Portal require the use of the PUT, and DELETE HTTP method.

    By default, WebSEAL does not allow these requests. You must either allow this method at the applicable WebSEAL ACL and web server, or change the HTTP methods in the x-method-override configuration.

Parent: Configure Tivoli Access Manager for non-z/OS operating systems
Related:

1. Migration consideration for Tivoli Access Manager integration
2. Start and stop servers, dmgrs, and node agents
3. Enable user provisioning
4. Set up SSL
5. Enable user provisioning
6. Switch for tunneling of HTTP methods
7. Tivoli Access Manager for e-business
8. Create the AMJRTE properties file