+

Search Tips   |   Advanced Search

Configure Tivoli Access Manager to perform authorization


Configure IBM Tivoli Access Manager to perform authorization as an independent task from configuring Tivoli Access Manager to perform authentication, but configure both tasks. Using Tivoli Access Manager to perform only authorization is not supported.

Complete the steps in Configure Tivoli Access Manager to perform authentication only before configuring Tivoli Access Manager to perform authorization.

Important: There are additional considerations when we are setting up security to use an external security manager in a cluster environment and across mixed nodes. For instance, complete any configuration for an external security manager after you have completed all other configuration tasks, including ensuring that the cluster is functional.

To configure Tivoli Access Manager to perform authorization:

  1. Validate that the AMJRTE properties exists:

    Operating system Task
    Windows ConfigEngine.bat validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo
    AIX SolarisLinux ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo
    IBM i ConfigEngine.sh validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDdAdminPwd=foo

    Clustered environments:

    • Complete this step on all nodes.
    • WasPassword is the dmgr administrative password.

    If the task does not run successfully: Run run-svrssl-config to create the properties file, see Create the AMJRTE properties file, then run validate-pdadmin-connection again. If the task is not successful after a second attempt, do not perform any subsequent steps in this topic. The face that the task does not run successfully indicates that the portal cannot connect to the Tivoli Access Manager server.

  2. Enter only the following parameters in wkplc_comp.properties under the Namespace management parameters heading:

    Cluster note: The following parameters must match on all nodes in the clustered environment.

    1. For wp.ac.impl.EACserverName, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

      If set, wp.ac.impl.EACcellName and wp.ac.impl.EACappname must also be set.

    2. For wp.ac.impl.EACcellName, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

      If set, wp.ac.impl.EACserverName and wp.ac.impl.EACappname must also be set.

    3. For wp.ac.impl.EACappname, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

      If set, wp.ac.impl.EACcellName and wp.ac.impl.EACservername must also be set.

    4. For wp.ac.impl.reorderRoles, type false to keep the role order or true to reorder the roles by resource type first.

    Clustered environments: Complete this step on all nodes.

  3. Enter only the following parameters in wkplc_comp.properties under the Portal authorization parameters heading:

    Clustered environments: Complete this step on all nodes.

    Cluster note: The following parameters must match on all nodes in the clustered environment.

    1. For wp.ac.impl.PDRoot, type the root objectspace entry in the Tivoli Access Manager namespace. All Portal roles will be installed under this objectspace entry. If you will be using Tivoli Access Manager for multiple profiles, choose a unique name for each root objectspace entry to easily distinguish one entry from another profile entry.

    2. For wp.ac.impl.PDAction, type the Custom Action created by the Tivoli Access Manager external authorization plug-in. The combination of the action group and the action determines the Tivoli Access Manager permission string required to assign membership to externalized portal roles.

    3. For wp.ac.impl.PDActionGroup, type the Custom Action group created by the Tivoli Access Manager external authorization plug-in. The combination of the action group and the action determines the Tivoli Access Manager permission string required to assign membership to externalized portal roles.

    4. For wp.ac.impl.PDCreateAcl, type true to automatically create and attach a Tivoli Access Manager ACL when WebSphere Portal externalizes a role or false to not create and attach a Tivoli Access Manager ACL when WebSphere Portal externalizes a role.

  4. Save your changes to the properties file.

  5. Run the following enable Tivoli Access Manager authorization task:

    Manager authorization
    Operating system Task
    Windows ConfigEngine.bat enable-tam-authorization -DWasPassword=foo from the WP_PROFILE\ConfigEngine
    AIXSolarisLinux ./ConfigEngine.sh enable-tam-authorization -DWasPassword=foo from the WP_PROFILE/ConfigEngine
    IBM i ConfigEngine.sh enable-tam-authorization -DWasPassword=foo from the WP_PROFILE/ConfigEngine

    Clustered environments:

    • Complete this step on all nodes.
    • WasPassword is the dmgr administrative password.

    If the task does not run successfully: Ensure the values in wkplc_comp.properties are valid.

  6. Stop and restart servers, dmgrs, and node agents.

After completing the following authorization procedure, the Tivoli Access Manager protected object space contains entries for roles in the following format: PORTAL_HOME/role_name/application_name/server/cell_name; for example: PORTAL_HOME/Administrator@VIRTUAL_EXTERNAL_ACCESS_CONTROL/app/server/cell.


Parent: Configure Tivoli Access Manager for non-z/OS operating systems
Related:
Start and stop servers, dmgrs, and node agents
Related:
Create the AMJRTE properties file