+

Search Tips   |   Advanced Search

External Access Control Service

The portal External Access Control Service collects authorization data from external security managers, such as CA eTrust SiteMinder or IBM Security Access Manager.

In the WAS console, the portal External Access Control Service is listed as WP ExternalAccessControlService.

In the portal External Access Control Service, we can modify the configuration properties listed in the following. However, plan well ahead and apply special care when modifying.


General properties of the External Access Control Service

These properties are used for general purposes of the External Access Control Service.

    externalaccesscontrol.ready = (false)
    Indicates whether the configuration in this file has been configured to connect to the External Security Manager. Default is false..

    externalaccesscontrol.server = WebSphere_Portal

    externalaccesscontrol.application = WPS

    externalaccesscontrol.cell = cell
    Role name representations are qualified with a context built by these three properties. For example, the Administrator@External_Access_Control/xxx/xxx is represented as follows:

      Security Access Manager: Protected object space entry

        /WPSv6/Administrator@External_Access_Control/xxx/xxx/WPS/WebSphere_Portal/cell

      eTrust SiteMinder:

      resource/subrealms under Domain: WebSphere Portal v8 /cell/WebSphere_Portal/WPS/Administrator@External_Access_Control/xxx/xxx


Access Manager configuration

Use the following properties to configure the connection between WebSphere Portal and the Tivoli Access Manager.

    externalaccesscontrol.pdroot = (/WPSv6)
    After completingd the AMJRTE and SrvSslCfg ConfigEngine tasks, the following directives are required to allow WebSphere Portal to use Tivoli Access Manager as an External Security Manager. Provide the root of your Protected Object Space for Portal Server entries.

    externalaccesscontrol.pduser = sec_master

    externalaccesscontrol.pdpw = passw0rd
    Use these properties to provide an administrative user ID and password with adequate rights in Tivoli to create, delete, modify the objects in the Protected Object Space. Use the WAS PropFilePasswordEncoder utility to mask the password. Using PropFilePasswordEncoder will remove any comments and uncommented properties. Therefore create a back up copy of this file for future reference.

      APPSERVER_ROOT/bin/PropFilePasswordEncoder WP_PROFILE/PortalServer/config/properties/ExternalAccessControlService.properties externalaccesscontrol.pdpw

    Example for :

    This command should be typed on one line in a command line window.

    externalaccesscontrol.pdurl=file:///${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties
    Specify the URL location of the Access Manager properties file for AMJRTE. This URL must be in the format file:///directory_path_to_properties_file . HTTP URLs are not supported.

    externalaccesscontrol.createAcl = (true)
    Optional. Whether Access Control Lists (ACLs) are created in Access Manager for roles stored externally. The default is true. If false, the Access Manager administrator will be responsible for all ACL linkages between Security Access Manager and WebSphere Portal. Possible values for this property are:

      true
      A Security Access Manager ACL will be created for every WebSphere Portal resource. Default.

      false
      No ACLs will be created for portal objects.

    externalaccesscontrol.pdactiongroup = ([WPS])

    externalaccesscontrol.pdAction = (m)
    These properties are optional. Use these properties to specify the action group and the customized actions to map to portal role membership. If these items do not exist, they will be created at startup. The values previously given are the default values.


CA eTrust SiteMinder policy server information

Use the following properties to configure the connection between WebSphere Portal and the Policy Server.

    externalaccesscontrol.domainname = WebSphere Portal V 8
    Domain name to be created in the eTrust SiteMinder administrative GUI. All realms and sub-realms will be created under this domain. This domain will be created when starting WebSphere Portal.

    externalaccesscontrol.scheme = (Basic)
    Scheme to be associated with the realms. Define this scheme in eTrust SiteMinder before starting WebSphere Portal. The default value is Basic.

    externalaccesscontrol.agentname = wpsagent

    externalaccesscontrol.agentsecret = passw0rd
    Agent name and secret to establish a run time connection with eTrust SiteMinder. The agent should be a web agent with a static shared secret, so that Web Agents later than Version 4.6 of WebAgents should enable the property supports 4.x agents on the eTrust SiteMinder web agent. Use the WAS PropFilePasswordEncoder utility to mask the password.

    Using PropFilePasswordEncoder removes all comments and all properties that are commented out. Therefore make sure we create a back up copy of this file for future reference before using the PropFilePasswordEncoder utility.

    An example of masking the password is:

    APPSERVER_ROOT/bin/PropFilePasswordEncoder WP_PROFILE/PortalServer/config/properties/ExternalAccessControlService.properties externalaccesscontrol.agentsecret

    Type this command on one line in a command line window.

    externalaccesscontrol.admin = siteminder

    externalaccesscontrol.password = passw0rd
    Administrative user ID and password for a user who can create, delete, and modify eTrust SiteMinder objects used to represent WebSphere Portal roles. This user ID must have sufficient access to domain level objects in eTrust SiteMinder. Use the WAS PropFilePasswordEncoder utility to mask the password.

    Using PropFilePasswordEncoder removes all comments and all properties that are commented out. Therefore make sure we create a back up copy of this file for future reference before using the PropFilePasswordEncoder utility.

    An example of masking the password is:

    APPSERVER_ROOT/bin/PropFilePasswordEncoder WP_PROFILE/PortalServer/properties/ExternalAccessControlService.properties externalaccesscontrol.password

    externalaccesscontrol.userdir = (User Directory 1)
    User Directory associated with the domain. We configure the failover for user directories in the eTrust SiteMinder administrative GUI. The user directory must exist before starting WebSphere Portal.

    externalaccesscontrol.failOver = (false)
    Whether the ESM subsystem should switch to another Policy Server if it cannot contact the current one. Possible values are true and false. We can specify this property as either externalaccesscontrol.failOver or as externalaccesscontrol.failover .

    It is important that this value and the number of Policy Server IP addresses specified by the servers property are carefully coordinated. If we specify multiple Policy Server addresses on the servers property, and this property is set to false, then the Computer Associate's Agent API will follow round-robin load balancing, by distributing or spraying requests between the configured Policy Servers. This may be appropriate for a TAI which is only doing read operations from the Policy Server(s), but not for write operations . If we have multiple servers defined in the externalaccesscontrol.servers property (following next), set failOver to true .

    externalaccesscontrol.servers = server1,server2, . . .
    IP addresses of all the Policy Servers. Multiple addresses need to separated by commas. An example is: servers=10.0.0.1,10.0.0.2 .

    If we have multiple servers defined in the externalaccesscontrol.servers property, set the failOver property to true .

    Define the following properties for each server. To differentiate the properties for each server, specify the keys in the format Server IP address.key=value . The defaults are assumed for any keys that you omit. The available keys are as follows:

      accountingPort = (44441)
      The accounting port for the Policy Server. The default is 44441.

      authenticationPort = (44442)
      The authentication port for the Policy Server. The default is 44442.

      authorizationPort = (44443)
      The authorization port for the Policy Server. The default is 44442.

      connectionMax = (10)
      The maximum number of connections which the authorization service may make to this Policy Server. The default is 10.

      connectionMin = (1)
      The initial number of connections which the authorization service will establish with this Policy Server. The default is 1.

      connectionStep = (1)
      The number of connections that are to be allocated if the authorization service runs out of connections to the Policy Server. The default is 1.

      timeout = (20)
      The connection timeout in seconds. The default is 20.

    An example for server 10.0.0.1 is as follows: 

        10.0.0.1.accountingPort=44441
    10.0.0.1.authenticationPort=44442
    10.0.0.1.authorizationPort=44443
    10.0.0.1.connectionMax=30
    10.0.0.1.connectionMin=10
    10.0.0.1.connectionStep=5
    10.0.0.1.timeout=60


Parent Portal Access Control Services