Configure the Credential Vault adapter for Security Access Manager | HCL Digital Experience
We can use IBM Security Access Manager in the HCL Digital Experience Credential Vault service. HCL Portal includes a vault adapter to access the Security Access Manager Global Sign-on (GSO) lockbox. Any existing Tivoli resource or resource credentials can be used in your portlets that access the credential vault service without any additional configuration. In addition, the credential vault service and credential vault management portlet can create or update an existing GSO lockbox entry.
Users who are storing credentials in the accessmanagervault.properties file must be defined in Security Access Manager as global sign-on (GSO) users.
Clustered note: In a clustered environment, complete steps 1 and 2 on each node. The WasPassword value is the Deployment Manager administrative password.
Procedure
Clustered environments: Complete this step on all nodes. Run the following task in the wp_profile_root/ConfigEngine directory to validate that the PdPerm.properties file is correct and that communication between HCL Portal and the Security Access Manager server works:
Run validate-pdadmin-connection on the HCL Portal node or on each node in a clustered environment. In a clustered environment, WasPassword is the dmgr administrator password. The wp.ac.impl.PDAdminPwd is the Security Access Manager administrative user password.
./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo
If the task does not run successfully: Run the run-svrssl-config task to create the properties file. For information, refer to Create the PdPerm.properties file. Then, run the validate-pdadmin-connection task again. If the task is not successful after a second attempt, do not proceed with any subsequent steps. The fact that the task does not run successfully indicates that the portal cannot connect to the Security Access Manager server. Troubleshoot the connectivity issue between the portal instance and the Security Access Manager server.
- Run the following task to create and populate the wp_profile_root/PortalServer/config/config/accessmanagervault.properties file:
./ConfigEngine.sh enable-tam-vault -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo
- Set the value for the systemcred.dn property:
The systemcred.dn property defines the distinguished name of the vault administrative user. All system credentials are stored under the user account. For Security Access Manager, this user must be an existing Security Access Manager user. The Security Access Manager adapter checks if the user exists in Security Access Manager before the slots are accessed.
- Log on to the WebSphere Integrated Solutions Console.
- Go to Resources > Resource Environment > Resource Environment Providers.
- Click WP CredentialVaultService.
- Under Additional Properties, click Custom properties.
- Edit the systemcred.dn property. Set the value to an existing Security Access Manager user.
- Stop and restart the appropriate servers to propagate the changes. For specific instructions, see Start and stop servers, deployment managers, and node agents.
- Create a Credential Vault segment and slot to be used by Security Access Manager:
- Click the Administration menu icon. Then, click Access > Credential Vault. Then, click Add a vault segment.
- Select the AccessManager vault from the Vaults list, by default it is named AccessManager.
- Enter a Vault segment name and click OK.
- Click Add a vault slot.
- Select the AccessManager vault from the Vault menu.
- Enter a Name for the vault slot and click OK.
- Optional: Use the WebSphere Application Server encoding mechanism to mask the passwords in the accessmanagervault.properties file and the Security Access Manager administrative password in the pdpw property.