Configure WAS to use Tivoli Access Manager for authentication
Use WAS v5.1 to install and pre-configure the Tivoli Access Manager Java run-time component, which uses the WebSphere Application Server version of the Java run time during the installation.
This article assumes that an external Tivoli Access Manager server Version 5.1 already exists.
To enable and disable Tivoli Access Manager for authentication, complete the following steps...
- Issue the PDJrteCfg command. In a cell, run the following command on the Deployment Manager first and then on the nodes.
Note that The first two lines of the following code sample are one continuous line. The line was split to fit within the width of the printed page.
java -Djava.ext.dirs -Dpd.home="%WAS_HOME%\java\jre\PolicyDirector" com.tivoli.pd.jcfg.PDJrteCfg -action [ config | unconfig ] -was -config_type [ full | standalone ] -java_home <jre_home> -host <Policy_Server_host_name>Detailed information on the PDJrteCfg class is located in the com.tivoli.pd.jcfg.PDJrteCfg in the Command Reference of the Tivoli Access Manager Version 5.1 product documentation . Here is an example of the configuration script to run.
Note that The following code example should be written as one line of code.
%WAS_HOME%\java\jre\bin\java -Djava.ext.dirs -Dpd.home="%WAS_HOME%\java\jre\PolicyDirector" \ -cp "%WAS_HOME%\java\jre\lib\ext\PD.jar; %WAS_HOME%\java\jre\lib\ext\ibmjceprovider.jar; %WAS_HOME%\java\jre\lib\ext\ibmpkcs.jar; %CLASSPATH%" \com.tivoli.pd.jcfg.PDJrteCfg -action config -was -config_type full -host TAM_policy_server_host_name- Issue the SvrSslCfg command. In a cell, run the following command on the Deployment Manager first and then on the nodes.Refer to SvrSslCfg usage syntax for more information. Also, see the following example for issuing this command...
Note that The following code example should be written as one line of code.
%WAS_HOME%\java\jre\bin\java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd password -appsvr_id appsvr_name -appsvr_pwd security -port 8888 -mode remote -host was_server_host_name -policysvr TAM_policysvr_host_name:7135:1 -authzsvr TAM_authzsvr_host_name:7136:1 -cfg_file %WAS_HOME%\java\jre\PdPerm.properties -key_file %WAS_HOME%\java\jre\lib\security\PdPerm.ks -cfg_action create- Start WAS, if not started already.
- Enable Tivoli Access Manager in the WAS administrative console. Check the Use Tivoli Access Manager for Account Policies check box on the Security > User Registries > LDAP page. If security within the LDAP user registry is not already enabled, then refer to Configuring Lightweight Access Directory Protocol for more information.
- Stop and restart WAS for your changes to take effect.
To disable Tivoli Access Manager for authentication, complete the following steps...
- Deselect the Use Tivoli Access Manager for Account Policies check box on the LDAP user registry page in the administrative console.
- Stop the WAS.
- Run the SvrSslCfg command to unconfigure the WebSphere Application Server to use an existing Tivoli Access Manager server.
For example,
Note that The following code example should be written as one line of code.
%WAS_HOME%\java\jre\bin\java com.tivoli.pd.jcfg.SvrSslCfg -action unconfig -admin_id sec_master -admin_pwd password -appsvr_id appsvr_name -policysvr TAM_policysvr_host_name:7135:1 -cfg_file %WAS_HOME%\java\jre\PdPerm.properties -host was_server_host_name- Run the PDJrteCfg command with the unconfig action. Command usage...
Note that The following code example should be written as one line of code.
java -Djava.ext.dirs -Dpd.home="%WAS_HOME%\java\jre\PolicyDirector" com.tivoli.pd.jcfg.PDJrteCfg -action [ config | unconfig ] -was -config_type [ full | standalone ] -java_home <jre_home> -host <Policy_Server_host_name>Detailed information on the PDJrteCfg class is located in the com.tivoli.pd.jcfg.PDJrteCfg in the Command Reference of the Tivoli Access Manager Version 5.1 product documentation . Here is an example of the unconfiguration script.
Note that The following code example should be written as one line of code.
%WAS_HOME%\java\jre\bin\java -Djava.ext.dirs -Dpd.home="%WAS_HOME%\java\jre\PolicyDirector" \ -cp "%WAS_HOME%\java\jre\lib\ext\PD.jar; %WAS_HOME%\java\jre\lib\ext\ibmjceprovider.jar; %WAS_HOME%\java\jre\lib\ext\ibmpkcs.jar;%CLASSPATH%" \ com.tivoli.pd.jcfg.PDJrteCfg -action unconfig -was -java_home %WAS_HOME%\java\jre
The SvrSslCfg utility is used to configure every WebSphere Developer Kit, Java Technology Edition installation. For example, in a Network Deployment environment, run the SvrSslCfg utility on the Deployment Manager first and then run the utility on all of the appserver nodes, even if the nodes are on the same machine.
- Configure WAS to use Tivoli Access Manager by using the SvrSslCfg utility. This utility is used to configure, to remove, and to modify the configuration information associated with the WAS and the Tivoli Access Manager server that you have configured.After running the SvrSslCfg utility successfully on WAS, a user account and server entries representing the WAS are created in the Tivoli Access Manager user registry. In addition, a configuration file and a Java key store file, which securely stores a client certificate, are created locally on the Application Server. This client certificate permits callers to use Tivoli Access Manager authentication services.
- Use the SvrSslCfg utility also to unconfigure the communication of the WebSphere Application Server with Tivoli Access Manager. When unconfiguring, you are choosing to remove the user and server entries from the user registry, and clean up the local configuration and key store files.
See Also
SvrSslCfg usage syntax