Configure the Credential Vault adapter for Tivoli Access Manager


Use Tivoli Access Manager in the Credential Vault service. WebSphere Portal includes a vault adapter for Tivoli Access Manager.

Users who are storing credentials in the AccessManagerVault must be defined in Tivoli Access Manager as global signon (GSO) users.

Use these steps to implement the Tivoli Access Manager vault adapter that is packaged with WebSphere Portal. The following common variables are used through these steps:

  1. Make backup copies of the following files...

  2. Verify connectivity to Tivoli Access Manager by running the validate-pdadmin-connection configuration task.

    1. Use a text editor to open the wp_root/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section of the file.

      Note the following:

      • Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference for a complete properties reference, including default values.

      • Use / instead of \ for all platforms.

      • Some values, shown in italics below, might need to be modified to your specific environment.

      Input Description
      PDAdminId The user ID for the administrative TAM user. For example sec_master.
      PDAdminPw The password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.

    2. Save the file.

    3. Open a command prompt and change to directory was_root/bin.

    4. Enter the following commands:

      1. startServer server1

      2. stopServer WebSphere_Portal -user was_admin_userID -password was_admin_password

    5. Change to the directory wp_root/config.

    6. Enter the following command to run the appropriate configuration task for your specific operating system:

      If the configuration task fails, validate the values in the wpconfig.properties file.

  3. If the validate-pdadmin-connection task succeeds, skip to step 4. If the validate-pdadmin-connection task fails, do the following:

    1. Use a text editor to open the wp_root/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section of the file. Do not change any settings other than those specified in these steps.

      Input Description
      PDServerName Unique application name used to create a new Tivoli server in the Access Manager Policy Server.

      If a server with the same name appears in the server list command, the SvrSslCfg command will fail.

      PDAdminId The user ID for the administrative TAM user. For example sec_master.
      PDAdminPw The password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.
      SvrSslCfgPort Configuration port for the application name.
      SvrSslCfgMode Configuration mode of the SvrSslCfg command.
      PDPolicyServerList Defines a hostname, port, and priority combinations for your TAM Policy servers used when running SvrSslCfg.
      PDAuthzServerList Defines a hostname, port, and priority combination for your TAM authorization servers.
      PDKeyPath Stores encryption keys used for the SSL communication between AMJRTE and

      Tivoli Access Manager.

    2. Save the file.

    3. Open a command prompt and change to directory was_root/bin.

    4. Enter the following commands:

      1. startServer server1

      2. stopServer WebSphere_Portal -user was_admin_userID -password was_admin_password

    5. Change to the directory wp_root/config.

    6. Enter the following command to run the appropriate configuration task for your specific operating system:

      If the configuration task fails, validate the values in the wpconfig.properties file.

  4. Configure the Credential Vault adapter.

    1. Use a text editor to open the wp_root/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuraiton section. Do not change any settings other than those specified in these steps.

      Input Description
      PDAdminId The user ID for the administrative TAM user. For example sec_master.
      PDAdminPw The password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.

    2. Save the file.

    3. Open a command prompt and change to directory was_root/bin.

    4. Enter the following commands:

      1. startServer server1

      2. stopServer WebSphere_Portal -user was_admin_userID -password was_admin_password

    5. Change to the directory wp_root/config.

    6. Enter the following command to run the appropriate configuration task for your specific operating system. This configuration task automatically creates and populates a file named wp_root/shared/app/config/accessmanagervault.properties:

      • UNIX: ./WPSconfig.sh enable-tam-vault -DPDAdminPw=password

      • Windows: WPSconfig.bat enable-tam-vault -DPDAdminPw=password

      If the configuration task fails, validate the values in the wpconfig.properties file.

  5. Use the WebSphere Application Server encoding mechanism to mask the passwords in the live version of the file. The following command masks the sensitive fields and removes all comments from the file. The original version of the file with the password in the clear and all comments intact is preserved with a bak extension. Enter the appropriate command:

    • Windows: was_root\bin\PropFilePasswordEncoder.bat filename property_name

    • UNIX: was_root/bin/PropFilePasswordEncoder.sh filename property_name

    For example, on Windows, enter the following command on a single line:

    c> c:\Program Files\WebSphere\AppServer\bin\PropFilePasswordEncoder.bat
    c:\Program Files\WebSphere\PortalServer\shared\app\config\services\ExternalAccessControlService.properties.pdpw
    

  6. The next time change the password, do the following steps:

    1. Copy the backup version of the file over the live version, which will have encoded passwords and no comments.

    2. Edit this new live file as needed and enter the new password in the clear.

    3. Save the file and create a backup.

    4. Run the WebSphere Application Server encoding mechanism on the file. The backup copy still exists with no password but with the comments preserved.

  7. For security reasons, either remove the password from the file with the bak extension that was created in previous step, or delete the file. Alternatively, you can specify the password on the command line using the following syntax:

    WPSconfig.{sh|bat} task_name -Dpassword_property_key=password_value
    

    If you have multiple properties in a single command, use a space character between each -Dproperty_name=value setting. Each password property must have the -D prefix and be set equal to (=) a value.

  8. Verify that AccessManagerVault can access the GSO lockbox from within WebSphere Portal by running the validate-pdadmin-connection configuration task.

    1. Use a text editor to open the wp_root/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section.

      Input Description
      PDAdminId The user ID for the administrative TAM user. For example sec_master.
      PDAdminPw The password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.

    2. Save the file.

    3. Open a command prompt and change to directory was_root/bin.

    4. Enter the following commands:

      1. startServer server1

      2. stopServer WebSphere_Portal -user was_admin_userID -password was_admin_password

    5. Change to the directory wp_root/config.

    6. Enter the following command to run the appropriate configuration task for your specific operating system:

      If the configuration task fails, validate the values in the wpconfig.properties file.

 

Removing the Credential Vault adapter

Follow these steps to remove the Credential Vault adapter. perform these steps in the specified order:

  1. Use the Credential Vault portlet to remove any segments created in the TAM Vault. See the Credential Vault portlet help for more information.

  2. Restore the backup copy of the VaultServices.properties file.

 

See also

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

 

Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.