Configuring Tivoli Access Manager to perform authentication only

Portal, Express Beta Version 6.1
Operating systems: i5/OS, Linux,Windows

Configuring Tivoli Access Manager to perform authentication only

IBM^® WebSphere^® Portal Express runs on IBM WebSphere Application Server, which can use Trust Association Interceptors (TAIs) to provide third-party authentication. WebSphere Portal Express and WebSphere Application Server support a TAI that is provided by Tivoli. If you use Tivoli Access Manager to perform authorization for WebSphere Portal Express, also use Tivoli Access Manager to perform the authentication. Using Tivoli Access Manager to perform only authorization is not supported.

Perform the following steps to configure Tivoli Access Manager to perform authentication only:Notes:

This procedure requires that you be familiar with WebSEAL administration concepts as presented in the WebSEAL Administrator's Guide. These are not the only options available for configuring WebSEAL with WebSphere Application Server. For complete descriptions of all the options, refer to the Tivoli Access Manager and WebSphere Application Server documentation.

This example assumes that HTTP Server is the Web server.

The term pdadmin refers to a command line utility that supports Tivoli Access Manager administrative functions.

If you experience problems while performing this procedure, enable tracing to help troubleshoot. From the WebSphere Application Server Administrative Console, click Troubleshooting > Logs and Trace > WebSphere Portal > Diagnostic Trace.

Optional: Perform the following steps to create an SSL junction using LTPA authentication on the WebSEAL node:
1. Open a pdadmin command prompt from any node that has a Tivoli Access Manager Runtime component installed. This can be done on the Tivoli Access Manager Server node, WebSEAL node or the WebSphere Portal Express node.
2. Enter the server task WebSEAL-Instance-webseald-WebSEAL-HostName create -t ssl -b filter -A -F LTPA-Keys-Path -Z LTPA-Password -h Target-Host -c all /Junction-Name command on one line.
  - The -A enables LTPA cookies
  - The -F key file option and argument specifies the full path name location on the WebSEAL server of the key file used to encrypt the shared key that is originally created on the WebSphere Application Server server and copied securely to the WebSEAL server. Refer to the WebSphere Application Server product documentation for specific details regarding exporting the LTPA key.
  - The -Z keyfile-password option and argument specifies the password required to open the key file

Install and configure WebSphere Portal Express, your database, and your user registry.

If you plan to use an SSL junction, follow the instructions in steps 1-3 of SSL for IBM WebSphere Portal Express. Some of these tasks are performed on the IBM WebSphere Application Server and the Web server. The steps that refer to the WebSphere Application Server and the Web server are summarized here; you should refer to the WebSphere Application Server and the Web server documentation for more detailed information. Steps that are unique to WebSphere Portal Express are described in detail here.">Set up SSL.

Install and configure WebSEAL. Refer to the WebSEAL Installation Guide for more information.

Perform the following steps if you plan to use an SSL junction:
1. Use the IBM Key Management utility to load the Web server certificate into the keyring for the appropriate instance of WebSEAL. See the HTTP Server documentation for more details.
2. Restart WebSEAL.

Enter the following tasks on the pdadmin command line to create the trusted user account: One of the underlying TAI security requirements is the trusted user account in the Tivoli Access Manager user registry that WebSphere Application Server is configured to use. This is the ID and password that WebSEAL uses to identify itself to WebSphere Application Server.Note: To prevent potential vulnerabilities, do not use the sec_master or wpsadmin users for the trusted user account. The trusted user account should be for the TAI only.
1. pdadmin> user create webseal_useridwebseal_userid_DNfirstnamesurnamepassword
2. pdadmin> user modify webseal_userid account-valid yes

Use a text editor to open the wkplc_comp.properties file, located in the following directory:

Option Description

Windows wp_profile\ConfigEngine
Linux wp_profile/ConfigEngine
i5/OS profiles/wp_profile/ConfigEngine

Enter only the following parameters in the wkplc_comp.properties file under the AMJRTE connection parameters heading:
1. For wp.ac.impl.PDAdminId, enter the user ID for the administrative Tivoli Access Manager user.
2. For wp.ac.impl.PDAminPwd, enter the password for the administrative Tivoli Access Manager user.
3. For wp.ac.impl.PDPermPath, enter the location of the Tivoli Access Manager AMJRTE properties file.

Save your changes to the wkplc_comp.properties file.

Option	Description
Windows	wp_profile\ConfigEngine
Linux	wp_profile/ConfigEngine
i5/OS	profiles/wp_profile/ConfigEngine

Run the following task to create the AMJRTE properties file:

Option	Description
Windows	`ConfigEngine.bat run-svrssl-config -Dwp.ac.impl.PDAminPwd=password` from the wp_profile\ConfigEngine directory
Linux	`./ConfigEngine.sh run-svrssl-config -Dwp.ac.impl.PDAminPwd=password` from the wp_profile/ConfigEngine directory
i5/OS	`ConfigEngine.sh -profileName profile_root run-svrssl-config -Dwp.ac.impl.PDAminPwd=password` from the profiles/wp_profile/ConfigEngine directory, where `profile_root` is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed.

The following files are created:

Operating System	File Directory
Windows	C:\Program Files\IBM\WebSphere\AppServer\java\jre\PolicyDirector\PdPerm.properties C:\Program Files\IBM\WebSphere\AppServer\java\jre\lib\security\PdPerm.ks
Linux	/usr/IBM/WebSphere/AppServer/java/jre/PolicyDirector/PdPerm.properties /usr/IBM/WebSphere/AppServer/java/jre/lib/security/PdPerm.ks
i5/OS	/usr/IBM/WebSphere/AppServer/java/jre/PolicyDirector/PdPerm.properties /usr/IBM/WebSphere/AppServer/java/jre/lib/security/PdPerm.ks

Perform the following steps to stop and restart the server1 and WebSphere_Portal servers:
1. Open a command prompt and change to the following directory:
  - Windows: wp_profile_root\bin
  - Linux: wp_profile_root/bin
  - i5/OS: wp_profile_root/bin
2. Enter the following command to stop the WebSphere Application Server:
  - Windows: stopServer.bat server1 -user admin_userid -password admin_password
  - Linux: ./stopServer.sh server1 -user admin_userid -password admin_password
  - i5/OS: stopServer server1 -profileName profile_root -user admin_userid -password admin_password where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.
3. Enter the following command to stop the WebSphere_Portal server:
  - Windows: stopServer.bat WebSphere_Portal -user admin_userid -password admin_password
  - Linux: ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password
  - i5/OS: stopServer WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password
4. Enter the following command to start the WebSphere Application Server:
  - Windows: startServer.bat server1
  - Linux: ./startServer.sh server1
  - i5/OS: startServer server1 -profileName profile_root
5. Enter the following command to start the WebSphere_Portal server:
  - Windows: startServer.bat WebSphere_Portal
  - Linux: ./startServer.sh WebSphere_Portal
  - i5/OS: startServer WebSphere_Portal -profileName profile_root

Run the following validation task:

Option	Description
Windows	`ConfigEngine.bat validate-pdadmin-connection -Dwp.ac.impl.PDAminPwd=password` from the wp_profile\ConfigEngine directory
Linux	`./ConfigEngine.sh validate-pdadmin-connection -Dwp.ac.impl.PDAminPwd=password` from the wp_profile/ConfigEngine directory
i5/OS	`ConfigEngine.sh -profileName profile_root validate-pdadmin-connection -Dwp.ac.impl.PDAminPwd=password` from the profiles/wp_profile/ConfigEngine directory, where `profile_root` is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed.

Use a text editor to open the wkplc_comp.properties file, located in the following directory:

Option Description

Windows wp_profile\ConfigEngine
Linux wp_profile/ConfigEngine
i5/OS profiles/wp_profile/ConfigEngine

Enter only the following parameters in the wkplc_comp.properties file under the WebSEAL junction parameters heading:
1. For wp.ac.impl.JunctionPoint, enter the WebSEAL junction point to the WebSphere Portal Express profile.
2. For wp.ac.impl.JunctionType, enter either tcp or ssl for the junction type to create for Tivoli Access Manager.
3. For wp.ac.impl.WebSealInstance, enter the WebSEAL instance used to create the junction.
4. For wp.ac.impl.TAICreds, enter the headers inserted by WebSEAL that the TAI uses to identify the request originating from WebSEAL.

Enter only the following parameters in the wkplc_comp.properties file under the WAS WebSEAL TAI parameters heading:
1. For wp.ac.impl.hostnames, enter the fully qualified URL for WebSphere Portal Express.
2. For wp.ac.impl.ports, enter the port number used to access the host machine identified in wp.ac.impl.hostnames.
3. For wp.ac.impl.loginId, enter the reverse proxy identity used when you create a TCP junction.
4. For wp.ac.impl.BaUserName, enter the reverse proxy identity used when you create an SSL junction.
5. For wp.ac.impl.BaPassword, enter the password for the SSL junction reverse proxy ID.

Save your changes to the wkplc_comp.properties file.

Option	Description
Windows	wp_profile\ConfigEngine
Linux	wp_profile/ConfigEngine
i5/OS	profiles/wp_profile/ConfigEngine

Run the following task to configure TAI for Tivoli Access Manager:

Option	Description
Windows	`ConfigEngine.bat enable-tam-tai -Dwp.ac.impl.PDAminPwd=password` from the wp_profile\ConfigEngine directory
Linux	`./ConfigEngine.sh enable-tam-tai -Dwp.ac.impl.PDAminPwd=password` from the wp_profile/ConfigEngine directory
i5/OS	`ConfigEngine.sh -profileName profile_root enable-tam-tai -Dwp.ac.impl.PDAminPwd=password` from the profiles/wp_profile/ConfigEngine directory

Perform the following steps to stop and restart the server1 and WebSphere_Portal servers:
1. Open a command prompt and change to the following directory:
  - Windows: wp_profile_root\bin
  - Linux: wp_profile_root/bin
  - i5/OS: wp_profile_root/bin
2. Enter the following command to stop the WebSphere Application Server:
  - Windows: stopServer.bat server1 -user admin_userid -password admin_password
  - Linux: ./stopServer.sh server1 -user admin_userid -password admin_password
  - i5/OS: stopServer server1 -profileName profile_root -user admin_userid -password admin_password where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.
3. Enter the following command to stop the WebSphere_Portal server:
  - Windows: stopServer.bat WebSphere_Portal -user admin_userid -password admin_password
  - Linux: ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password
  - i5/OS: stopServer WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password
4. Enter the following command to start the WebSphere Application Server:
  - Windows: startServer.bat server1
  - Linux: ./startServer.sh server1
  - i5/OS: startServer server1 -profileName profile_root
5. Enter the following command to start the WebSphere_Portal server:
  - Windows: startServer.bat WebSphere_Portal
  - Linux: ./startServer.sh WebSphere_Portal
  - i5/OS: startServer WebSphere_Portal -profileName profile_root

If you created a TCP junction in the previous step, go to the WebSEAL machine and edit the webseald-instance.conf file for the appropriate WebSEAL instance. An example is webseald-default.conf. This sets the basicauth-dummy-passwd value to the password for the ID that WebSEAL uses to identify itself to WebSphere Application Server. This user ID and password were created in an earlier step. Stop and start the WebSEAL server before continuing.

The length of the generated URLs may cause problems if your WebSEAL instance is on the Windows platform. Edit the webseald-instance.conf file and change the process-root-requests property value to filter to avoid problems with WebSEAL processing.

Several portlets, including the Resource Permissions portlet and the productivity components editors, use relative Javascript within the portlet or component. These portlets and components will not function correctly when accessed through a WebSEAL junction. For this Javascript to be interpreted and followed correctly, WebSeal must be configured to insert the junction point into the Javascript. One way to accomplish this is through the use of the JMT table function in WebSEAL. To enable the JMT table function, define an ASCII text file called jmt.conf. The location of this file is specified in the [junction] stanza of the webseald-instance.conf configuration file: jmt-map = lib/jmt.conf. The format for data entry in the table consists of the junction name, a space, and the resource location pattern. You can also use wildcard characters to express the resource location pattern. Note that jmt.conf resides in: Access Manager_install_root/PDweb/www-default/lib/. In the following example of the junction mapping configuration file, two back-end servers are junctioned to WebSEAL at /jctA and /jctB:
```
/jctA /documents/release-notes.html
/jctB /wps/*
```
where jctB is the junction for WebSphere Portal Express. See the WebSEAL Administrator's Guide for more information.

Import WebSphere Portal Express users and groups into Tivoli Access Manager by entering the following commands on the Tivoli Access Manager administrative command line, where wpsadmin is the user ID for the administrator, and wpsadmins is the administrators group name. The fully distinguished names of these user and group IDs will vary depending on your LDAP settings.
```
 user import wpsadmin uid=wpsadmin,cn=users,dc=ibm,dc=com
 user modify wpsadmin account-valid yes
 group import wpsadmins cn=wpsadmins,cn=groups,dc=ibm,dc=com
```

Use the WebSphere Application Server Administrative Console to review and save the trust association and interceptor updates:
1. In the WebSphere Application Server Administrative Console, click Security > Global security > Authentication > Authentication mechanisms > LTPA.
2. Click Trust Association under Additional Properties.
3. Under General Properties, find Enable trust association. If it's box is checked then the trust association is already enabled. If it is not checked, select the check box and click OK to enable trust association.
4. Click Save at the top of the screen under Message(s). Click Save again when prompted, to confirm your changes.
5. Click Security > Global security > Authentication > Authentication mechanisms > LTPA.
6. Click Trust Association under Additional Properties. Click Interceptors under Additional Properties.
7. The com.ibm.ws.security.web.WebSealTrustAssociationInterceptor interceptor should be listed. If it is not listed, review the ConfigTrace.log for errors encountered during the enable-tam-tai configuration task, and re-run the task if necessary.
8. Click Save at the top of the screen under Message(s). Click Save again when prompted, to confirm your changes.

Parent topic: Configuring Tivoli Access Manager

Library | Support | Terms of use |