Configure the Credential Vault adapter for Tivoli Access Manager

 

+
Search Tips   |   Advanced Search

 

We can use IBM Tivoli Access Manager (TAM) for e-business in the IBM WebSphere Portal Credential Vault service. WebSphere Portal includes a vault adapter to access the TAM Global Sign-on (GSO) lockbox. Any existing Tivoli resource or resource credentials can be used in the portlets that access the credential vault service without any additional configuration. In addition, the credential vault service and credential vault management portlet can create new or update existing GSO lockbox entries.

Users who are storing credentials in the accessmanagervault.properties file must be defined in TAM as GSO users. Complete the following steps to utilize the TAM vault adapter that is packaged with WebSphere Portal :

1. Make a backup copy of...

   portal_server_root/config/wpconfig.properties

2. Verify connectivity to TAM by running the validate-pdadmin-connection configuration task.
   1. Edit...

      portal_server_root/config/wpconfig.properties

      ...and enter the appropriate values in the Advanced Security Configuration section of the file.

      • Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference for a complete properties reference, including default values.

      • Use / instead of \ for all platforms.

      • Some values, shown in italics below, might need to be modified to the specific environment.

      Input	Description
      PDAdminId	User ID for the administrative TAM user. For example sec_master.
      PDAdminPw	Password for the administrative TAM user.
      PDPermPath	The location of the TAM AMJRTE properties file.

   2. Save the file.

   3. Open a command prompt and change to the following directory:

      • UNIX:

        was_profile_root/bin

      • Windows:

        was_profile_root\bin

      • i5/OS:

        app_server_root/bin

   4. Enter the following commands:
      1. Enter the following command:

         • UNIX:

           ./startServer.sh server1

         • Windows:

           startServer.bat server1

         • i5/OS:

           startServer -profileName profile_root

           ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

         ...where server1 is the name of the WebSphere Application Server administrative server.

      2. Enter the following command:

         • UNIX:

           ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

         • Windows:

           stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

         • i5/OS:

           stopServer WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

           ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

   5. Change to the directory portal_server_root/config.

   6. Enter the following command to run the appropriate configuration task for the specific operating system:

      • UNIX:

        ./WPSconfig.sh validate-pdadmin-connection

      • Windows:

        WPSconfig.bat validate-pdadmin-connection

      • i5/OS:

        WPSconfig.sh -profileName profile_root validate-pdadmin-connection

        ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

      If the validate-pdadmin-connection configuration task failed:

      • issuing the message Cannot contact server, the validity of the PDAdmin ID and password values need to be verified in the wpconfig.properties file.

      • issuing the common error message java.io.FileNotFoundException, this indicates that the task failed on a new WebSphere Application Server and WebSphere Portal installation so that the PDPerm.properties file was not found. Recovery is covered in the next step. Here is the error message in detail:

        Wrappered Exception:
        java.security.PrivilegedActionException: java.io.FileNotFoundException: 
           C:\WebSphere\AppServer\java\jre\PdPerm.properties 
           (The system cannot find the path specified)     
        [
        HPDJA0108E   Invalid argument: Null configuration URL.
        ]
        

3. If the validate-pdadmin-connection task succeeded, skip to the next step. If the validate-pdadmin-connection task failed because the file PDPerm.properties was not found, do the following:
   1. Edit the portal_server_root/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section of the file. Do not change any settings other than those specified in these steps.

      Input	Description
      PDServerName	Unique application name used to create a new Tivoli server in the Access Manager Policy Server. If a server with the same name appears in the server list command, the SvrSslCfg command will fail.
      PDAdminId	User ID for the administrative TAM user. For example sec_master.
      PDAdminPw	Password for the administrative TAM user.
      PDPermPath	The location of the TAM AMJRTE properties file.
      SvrSslCfgPort	Configuration port for the application name.
      SvrSslCfgMode	Configuration mode of the SvrSslCfg command.
      PDPolicyServerList	Defines a hostname, port, and priority combinations for the TAM Policy servers used when running SvrSslCfg.
      PDAuthzServerList	Defines a hostname, port, and priority combination for the TAM authorization servers.
      PDKeyPath	Stores encryption keys used for the SSL communication between AMJRTE and TAM.

   2. Save the file.

   3. Open a command prompt and change to the following directory:

      • UNIX:

        was_profile_root/bin

      • Windows:

        was_profile_root\bin

      • i5/OS:

        app_server_root/bin

   4. Enter the following commands:
      1. Enter the following command:

         • UNIX:

           ./startServer.sh server1

         • Windows:

           startServer.bat server1

         • i5/OS:

           startServer -profileName profile_root

           ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

         ...where server1 is the name of the WebSphere Application Server administrative server.

      2. Enter the following command:

         • UNIX:

           ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

         • Windows:

           stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

         • i5/OS:

           stopServer WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

           ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

   5. Change to the directory portal_server_root/config.

   6. Enter the following command to run the appropriate configuration task for the specific operating system:

      • UNIX:

        ./WPSconfig.sh run-svrssl-config

      • Windows:

        WPSconfig.bat run-svrssl-config

      • i5/OS:

        WPSconfig.sh -profileName profile_root run-svrssl-config

        ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

      If the configuration task fails, validate the values in the wpconfig.properties file.

4. Configure the Credential Vault adapter.
   1. Edit the portal_server_root/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section. Do not change any settings other than those specified in these steps.

      Input	Description
      PDAdminId	User ID for the administrative TAM user. For example sec_master.
      PDAdminPw	Password for the administrative TAM user.
      PDPermPath	The location of the TAM AMJRTE properties file.

   2. Save the file.

   3. Open a command prompt and change to the following directory:

      • UNIX:

        was_profile_root/bin

      • Windows:

        was_profile_root\bin

      • i5/OS:

        app_server_root/bin

   4. Enter the following commands:
      1. Enter the following command:

         • UNIX:

           ./startServer.sh server1

         • Windows:

           startServer.bat server1

         • i5/OS:

           startServer -profileName profile_root

           ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

         ...where server1 is the name of the WebSphere Application Server administrative server.

      2. Enter the following command:

         • UNIX:

           ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

         • Windows:

           stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

         • i5/OS:

           stopServer WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

           ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

   5. Change to the directory portal_server_root/config.

   6. Enter the following command to run the appropriate configuration task for the specific operating system. This configuration task automatically creates and populates a file named...

      portal_server_root/shared/app/config/accessmanagervault.properties:

      • UNIX:

        ./WPSconfig.sh enable-tam-vault

      • Windows:

        WPSconfig.bat enable-tam-vault

      • i5/OS:

        WPSconfig.sh -profileName profile_root enable-tam-vault

        ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

      If the configuration task fails, validate the values in the wpconfig.properties file.

5. Optional: Use the WebSphere Application Server encoding mechanism to mask the passwords in the production version of the file. The accessmanagervault.properties file contains the TAM administrative password in the pdpw property. Refer to the detailed instructions in Password masking for masking passwords or changing masked passwords.

6. Verify that AccessManagerVault is available from the Credential Vault dropdown in the Credential Vault portlet.

7. Open a command prompt and change to the following directory:

   • UNIX:

     was_profile_root/bin

   • Windows:

     was_profile_root\bin

   • i5/OS:

     app_server_root/bin

8. Enter the following commands:
   1. Enter the following command:

      • UNIX:

        ./startServer.sh server1

      • Windows:

        startServer.bat server1

      • i5/OS:

        startServer -profileName profile_root

        ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

      ...where server1 is the name of the WebSphere Application Server administrative server.

   2. Enter the following command:

      • UNIX:

        ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

      • Windows:

        stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

      • i5/OS:

        stopServer WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

        ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

 

Remove the Credential Vault adapter

Follow these steps in the order specified to remove the Credential Vault adapter:

1. Use the Credential Vault portlet to remove any segments created in the Tivoli Access Manager Vault.

   Do not remove DefaultAdminSegment. See the Credential Vault portlet help for more information.

2. In the WP Credential Vault Service configuration, remove the Vault.AccessManager Credential Vault Adapter implementation properties, including class, config, manager, and readonly, as described in Setting configuration properties.

   The systemcred.dn property cannot be removed.

3. Remove the file named accessmanagervault.properties from the portal_server_root/shared/app/config directory.

 

Related information

• WebSphere Application Server documentation

• Credential Vault

• Configuring databases

 

Parent topic:

Use TAM with WebSphere Portal

 

---