WebSphere Portal, Express Beta Version 6.1
Operating systems: i5/OS, Linux,Windows

 

Configuring Tivoli Access Manager to perform authorization

You can configure IBM® Tivoli® Access Manager for e-business to perform authorization as an independent task from configuring Tivoli Access Manager to perform authentication, but configure both tasks. Using Tivoli Access Manager to perform only authorization is not supported.

There are additional considerations when you are setting up security to use an external security manager in a cluster environment and across mixed nodes. For instance, it is recommended that you perform any configuration for an external security manager after you have completed all other setup tasks, including ensuring that the cluster is functional.

After you complete the following authorization procedure, the Tivoli Access Manager protected object space contains entries for portal roles in the following format:portal_server_root/role_name/application_name/server_name/cell_nameFor example: portal_server_root/Administrator@VIRTUAL_EXTERNAL_ACCESS_CONTROL/app/server/cell

Perform the following steps to configure Tivoli Access Manager to perform authorization:

  1. Follow the instructions in Configuring Tivoli Access Manager to perform authentication only.

  2. Locate the portal_server_root/config/wpconfig.properties file.

  3. Create a backup copy of this file.

  4. Verify connectivity to Tivoli Access Manager by completing the following substeps and running the validate-pdadmin-connection configuration task.

    1. Use a text editor to open the portal_server_root/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section of the file.

      Input Description
      PDAdminId The user ID for the administrative Tivoli Access Manager user.
      PDAdminPw The password for the administrative Tivoli Access Manager user.
      PDPermPath The location of the Tivoli Access Manager AMJRTE properties file.

    2. Save the file.

    3. Change to the directory portal_server_root/config.

    4. Enter the following command to run the appropriate configuration task for your specific operating system:

      • Linux: ./ConfigEngine.sh validate-pdadmin-connection -DPdAdminPw=password

      • Windows: ConfigEngine.bat validate-pdadmin-connection -DPdAdminPw=password

      • i5/OS: ConfigEngine.sh -profileName profile_root validate-pdadmin-connection -Dpassword_property_key=password_value

        where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

  5. Run the enable-tam-authorization configuration task to set up Tivoli Access Manager to perform authorization for the portal. Remember that if you do this, also use Tivoli Access Manager to perform authentication for the portal.

    1. Use a text editor to open the wp_profile_root/ConfigEngine/config/wkplc_comp.properties file and enter the appropriate values in the Advanced Security Configuration section of the file. Do not change any settings other than those specified in these steps.

      Input Description
      EACserverName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the Tivoli Access Manager namespace. Note: If set, EACcellName and EACappname must also be set.
      EACcellName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the Tivoli Access Manager namespace. Note: If set, EACserverName and EACappname must also be set.
      EACappName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the Tivoli Access Manager namespace. Note: If set, EACcellName and EACservername must also be set.
      reorderRoles (Optional) This field will allow you to either have your externalized Portal rolenames displayed with the resource type first, or the role types first.
      PDAdminId The user ID for the administrative Tivoli Access Manager user.
      PDAdminPw The password for the administrative Tivoli Access Manager user.
      PDPermPath The location of the Tivoli Access Manager AMJRTE properties file.
      PDRoot Root objectspace entry in the Tivoli Access Manager namespace. All Portal roles will be installed under this objectspace entry. If you will be using Tivoli Access Manager for multiple portal instances, choose a unique name for each root objectspace entry to easily distinguish one entry from another portal instance entry.
      PDAction When the Tivoli Access Manager external authorization plugin is started, it will detect and, if necessary, create a custom action in Tivoli Access Manager. The combination of the action group and the action determines the Tivoli Access Manager permission string required to assign membership to externalized Portal roles.
      PDActionGroup When the Tivoli Access Manager external authorization plugin is started, it will detect and, if necessary, create a custom action group in Tivoli Access Manager. The combination of the action group and the action determines the Tivoli Access Manager permission string required to assign membership to externalized Portal roles. Note: Tivoli Access Manager accommodates a maximum of 30 custom action groups.
      PDCreateAcl When Portal externalizes a role, it can automatically create and attach a Tivoli Access Manager ACL granting membership to the user doing the role. If you set this property to false, the Tivoli Access Manager administrator will be responsible for creating Tivoli Access Manager ACLs to allow access to Portal roles.

    2. Save the file.

    3. Change to the directory portal_server_root/config.

    4. Enter the following command to run the appropriate configuration task for your specific operating system:

      • Linux: ./ConfigEngine.sh enable-tam-authorization

      • Windows: ConfigEngine.bat enable-tam-authorization

      • i5/OS: ConfigEngine.sh -profileName profile_root enable-tam-authorization

        where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

      Note: If the configuration task fails, validate the values in the wpconfig.properties file.

  6. By default, externalized roles appear in the external security manager as Role Type@Resource Type/Name/Object ID. For example, Administrator@PORTLET_APPLICATION/Welcome/1_1_1G.

    You can change this format to Resource Type/Name/Object ID@Role type. This format change groups the roles by resource name instead of by role type. For example, PORTLET_APPLICATION/Welcome/1_0_1G@Administrator. This format change is visible only when the roles are externalized. This change does not affect the way roles are displayed in WebSphere Portal Express.

    The Administrator@VIRTUAL/wps.EXTERNAL ACCESS CONTROL/1 role is never affected by this format change. This role always appears with the role type Administrator on the left.

    Follow these steps to change the format for externalized roles:

    1. In the Access Control Data Management Service, change the value of the accessControlDataManagement.reorderRoleNames property to true, as described in Set configuration properties.
    Note: To change the display format for roles that were initially externalized in the default format, follow these steps:

    1. Internalize the roles.

    2. Set the reorderRoleNames property to true as previously explained.

    3. Externalize the roles.
    Example of roles list with reorderRoleNames=false:
    Administrator@WEB_MODULE/Tracing.war/1_0_3K
        Administrator@PORTLET_APPLICATION/Welcome/1_0_1G
        User@WEB_MODULE/Tracing.war/1_0_3K
        Privileged User@WEB_MODULE/Tracing.war/1_0_3K
        Privileged User@PORTLET_APPLICATION/Welcome/1_0_1G
    Example of roles list with reorderRoleNames=true
    PORTLET_APPLICATION/Welcome/1_0_1G@Administrator
        PORTLET_APPLICATION/Welcome/1_0_1G@Privileged User
        WEB_MODULE/Tracing.war/1_0_3K@Administrator
        WEB_MODULE/Tracing.war/1_0_3K@Privileged User
        WEB_MODULE/Tracing.war/1_0_3K@User

 

Verifying that Tivoli Access Manager is working properly

  1. Verify that the topology is as described in the protected object space before proceeding.

  2. Ensure that at least one user, usually the portal administrator, has the Administrator@VIRTUAL/EXTERNAL ACCESS CONTROL_1 role.

    1. To verify that the portal administrator and the portal administrator group have this role, view the ACL for the namespace entry representing the Administrator@VIRTUAL/EXTERNAL ACCESS CONTROL_1 role be entering the following command on the pdadmin command line:
      pdadmin> acl show WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1

    2. If there is no entry for the portal administrator, enter the following command to add the portal administrator to the Administrator@VIRTUAL/EXTERNAL_ACCESS_CONTROL_1 ACL:
      pdadmin> acl modify WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1 set user wpsadmin T[WPS]m
pdadmin> acl modify WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1 set group wpsadmins T[WPS]m

      where wpsadmin is the portal administrator user ID and wpsadmins is the portal administrator group.

  3. Proceed to the Resource Permissions portlet.

    1. Select a resource type.

    2. Click the Assign Access icon for the specific resource.

    3. Click the Edit Role icon for a role that you want to externalize.

    4. Click Add to explicitly assign at least one user or group to your chosen role for the resource.

    5. Select the specific users or user groups by clicking on Search for Users or User Groups or clicking on the pull down for the Search by option where the default is set to All available. Click OK.

    6. An informational message box should display the message that members were successfully added to the role.

    7. Optional: Explicitly assign additional roles. If you do not assign at least one user or group to each role type for the resource, use the external security manager interface to create this role type later. For example, if you do not assign any users or groups to the Editor role type for the resource, then use the external security manager interface to create the Editor role type later.

    8. Click the Externalize icon for the resource. These steps move every role that is defined for each resource you assigned to the Tivoli Access Manager protected object space. One ACL is created for each externalized role.

  4. Add users to the ACLs that are attached to the role types on that resource by using either the Tivoli Access Manager GUI or the pdadmin command line.
Note: If you log on to WebSphere Portal Express for administration purposes and you intend to externalize resources to Tivoli Access Manager, remember the following:

Parent topic: Configuring Tivoli Access Manager
Library | Support | Terms of use |