Configure Tivoli Access Manager to perform authorization

 

+
Search Tips   |   Advanced Search

 

Overview

We can configure IBM Tivoli Access Manager (TAM) for e-business to perform authorization as an independent task from configuring TAM to perform authentication, but configure both tasks. Using TAM to perform only authorization is not supported.

For WebSphere Portal cluster environments, perform configuration for an external security manager only after you have completed all cluster setup tasks.

After completing the following authorization procedure, the TAM protected object space will contain entries for portal roles in the following format: 

portal_server_root/role_name/appname/servername/cell

...where...

...are configurable values in...

ExternalAccessControlService.properties

For example:

portal_server_root/Administrator@VIRTUAL_EXTERNAL_ACCESS_CONTROL/app/server/cell

After a role is externalized, use TAM to add and remove users and groups to the Access Control List (ACL) for the role.

We can use TAM to provide access control for all public portal resources, or for a subset of public portal resources, depending on the needs of the environment. Access control for private pages cannot be externalized.

This example assumes that IBM HTTP Server is the Web server.

pdadmin is a command line utility that supports TAM administrative functions.

 

Configure TAM to perform authorization

  1. Ensure that the TAM AMJRTE component on the WebSphere Portal machine is at the V 5.1 fix pack 2 level or higher. This version of the AMJRTE component is automatically installed with WebSphere Application Server (WAS) V5.1.1 or higher.

  2. Follow the instructions in Configuring TAM to perform authentication only.

  3. Create a backup copy of...

    portal_server_root/config/wpconfig.properties

  4. Verify connectivity to TAM by completing the following substeps and running the validate-pdadmin-connection configuration task.

    1. Edit...

      portal_server_root/config/wpconfig.properties

      ...and enter the appropriate values in the Advanced Security Configuration section of the file.

      Input Description
      PDAdminId User ID for the administrative TAM user.
      PDAdminPw Password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.

    2. Save the file.

    3. Run the configuration task

  5. Optional: Skip this step if authentication is already configured per Configuring TAM to perform authentication only. If the validate-pdadmin-connection configuration task succeeded, skip to the next step. If the validate-pdadmin-connection task failed because the file PDPerm.properties was not found, do the following:

    1. Edit...

      portal_server_root/config/wpconfig.properties

      ...and enter the appropriate values in the Advanced Security Configuration section of the file.

      Input Description
      PDServerName Unique application name used to create a new Tivoli server in the Access Manager Policy Server. This server represents the WebSphere Portal JVM in the pdadmin server list command.

      If a server with the same name appears in the server list command, the SvrSslCfg command will fail.

      PDAdminId User ID for the administrative TAM user.
      PDAdminPw Password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.
      SvrSslCfgPort Configuration port for the application name.
      SvrSslCfgMode Configuration mode of the SvrSslCfg command.
      TamHost Defines the TAM Policy Server used when running PDJrteCfg.
      PDPolicyServerList Defines a hostname, port, and priority combinations for the TAM Policy servers used when running SvrSslCfg.
      PDAuthzServerList Defines a hostname, port, and priority combination for the TAM authorization servers.
      PDKeyPath Stores encryption keys used for the SSL communication between AMJRTE and TAM.

    2. Save the file.

    3. Run the configuration task

      If the configuration task fails, validate the values in the wpconfig.properties file.

  6. Run the enable-tam-authorization configuration task to set up TAM to perform authorization for the portal. Remember that if you do this, also use TAM to perform authentication for the portal.

    1. Edit...

      portal_server_root/config/wpconfig.properties

      ...and enter the appropriate values in the Advanced Security Configuration section of the file. Do not change any settings other than those specified in these steps.

      Input Description
      EACserverName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the TAM namespace.

      If set, EACcellName and EACappname must also be set.

      EACcellName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the TAM namespace.

      If set, EACserverName and EACappname must also be set.

      EACappName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the TAM namespace.

      If set, EACcellName and EACservername must also be set.

      reorderRoles (Optional) This field will allow you to either have the externalized Portal rolenames displayed with the resource type first, or the role types first.
      PDAdminId User ID for the administrative TAM user.
      PDAdminPw Password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.
      PDRoot Root objectspace entry in the TAM namespace. All Portal roles will be installed under this objectspace entry. If you will be using TAM for multiple portal instances, choose a unique name for each root objectspace entry to distinguish one entry from another portal instance entry.
      PDAction When the TAM external authorization plugin is started, it will detect and, if necessary, create a custom action in Tivoli Access Manager. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized Portal roles.
      PDActionGroup When the TAM external authorization plugin is started, it will detect and, if necessary, create a custom action group in Tivoli Access Manager. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized Portal roles.

      TAM accommodates a maximum of 30 custom action groups.

      PDCreateAcl When Portal externalizes a role, it can automatically create and attach a TAM ACL granting membership to the user doing the role. If you set this property to false, the TAM administrator will be responsible for creating TAM ACLs to allow access to Portal roles.

    2. Save the file.

    3. Run the configuration task

      If the configuration task fails, validate the values in the wpconfig.properties file.

  7. Restart WebSphere Portal.

  8. By default, externalized roles appear in the external security manager as Role Type@Resource Type/Name/Object ID. For example,...

    Administrator@PORTLET_APPLICATION/Welcome/1_1_1G

    We can change this format to type...

    Resource Type/Name/Object ID@Role

    This format change groups the roles by resource name instead of by role type. For example,...

    PORTLET_APPLICATION/Welcome/1_0_1G@Administrator

    This format change is visible only when the roles are externalized. This change does not affect the way roles are displayed in WebSphere Portal.

    The role...

    Administrator@VIRTUAL/wps.EXTERNAL ACCESS CONTROL/1

    ...is never affected by this format change. This role always appears with the role type Administrator on the left. To change the format for externalized roles:

    In the Access Control Data Management Service, change the value of the accessControlDataManagement.reorderRoleNames property to true, as described in Setting configuration properties.

    To change the display format for roles that were initially externalized in the default format, follow these steps:

    1. Internalize the roles.

    2. Set the reorderRoleNames property to true as previously explained.

    3. Externalize the roles.

    Example of roles list with reorderRoleNames=false: 

    Administrator@WEB_MODULE/Tracing.war/1_0_3K
Administrator@PORTLET_APPLICATION/Welcome/1_0_1G
User@WEB_MODULE/Tracing.war/1_0_3K
Priviledged User@WEB_MODULE/Tracing.war/1_0_3K
Priviledged User@PORTLET_APPLICATION/Welcome/1_0_1G

    Example of roles list with reorderRoleNames=true 

    PORTLET_APPLICATION/Welcome/1_0_1G@Administrator PORTLET_APPLICATION/Welcome/1_0_1G@Priviledged User WEB_MODULE/Tracing.war/1_0_3K@Administrator WEB_MODULE/Tracing.war/1_0_3K@Priviledged User WEB_MODULE/Tracing.war/1_0_3K@User

 

Verify that TAM is working properly

  1. Verify that the topology is as described in the protected object space before proceeding.

  2. Ensure that at least one user, usually the portal administrator, has the role...

    Administrator@VIRTUAL/EXTERNAL ACCESS CONTROL_1

    1. To verify that the portal administrator and the portal administrator group have this role, view the ACL for the namespace entry representing the Administrator@VIRTUAL/EXTERNAL ACCESS CONTROL_1 role be entering the following command on the pdadmin command line: 

      pdadmin> acl show WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1

    2. If there is no entry for the portal administrator, enter the following command to add the portal administrator to the Administrator@VIRTUAL/EXTERNAL_ACCESS_CONTROL_1 ACL: 

      pdadmin> acl modify WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1 set user wpsadmin T[WPS]m pdadmin> acl modify WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1 set group wpsadmins T[WPS]m

      ...where wpsadmin is the portal administrator user ID and wpsadmins is the portal administrator group.

  3. Proceed to the Resource Permissions portlet on the WebSphere Portal machine.

    1. Select a resource type.

    2. Click the Assign Access icon for the specific resource.

    3. Click the Edit Role icon for a role that you want to externalize.

    4. Click Add to explicitly assign at least one user or group to the chosen role for the resource.

    5. Select the specific users or user groups by clicking on Search for Users or User Groups or clicking on the pull down for the Search by option where the default is set to All available. Click OK.

    6. An informational message box should display the message that members were successfully added to the role.

    7. Optional: Explicitly assign additional roles. If you do not assign at least one user or group to each role type for the resource, use the external security manager interface to create this role type later. For example, if you do not assign any users or groups to the Editor role type for the resource, then use the external security manager interface to create the Editor role type later.

    8. Click the Externalize icon for the resource. These steps move every role that is defined for each resource you assigned to the TAM protected object space. One ACL is created for each externalized role.

  4. Add users to the ACLs that are attached to the role types on that resource by using either the TAM GUI or the pdadmin command line.

If you log on to WebSphere Portal for administration purposes and you intend to externalize resources to TAM, remember the following:

  • You must be a member of the wpsadmins group

  • The wpsadmins group must appear in the ACL...

    VIRTUAL/EXTERNAL_ACCESS_CONTROL_1

 

Related information

 

Parent topic:

Use TAM with WebSphere Portal