Configure TAM for authentication, authorization, and the Credential Vault

 

+
Search Tips   |   Advanced Search

 

To configure authentication, authorization and the vault adapter all at once...

  1. On the WebSphere Portal machine, make a backup of...

    portal_server_root/config/wpconfig.properties

  2. Verify connectivity to IBM Tivoli Access Manager (TAM) for e-business by running the validate-pdadmin-connection configuration task.

    The validate-pdadmin-connection task verifies that the TAM AMJRTE SvrSslCfg command has run and that WebSphere Portal has the necessary configuration parameters to communicate with TAM.

    If the SvrSslCfg command has not run, see step 3 to run the run-svrssl-config task.

    1. Edit...

      portal_server_root/config/wpconfig.properties

      ...and set the following values in the Advanced Security Configuration section of the file:

      Input Description
      PDAdminId User ID for the administrative TAM user.
      PDAdminPw Password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.

    2. Save the file.

    3. Execute...

      ...where server1 is the name of the WebSphere Application Server administrative server.

    4. Run the configuration task

      Possible errors...

      • Cannot contact server, the validity of the PDAdmin ID and password values need to be verified in the wpconfig.properties file.

      • message java.io.FileNotFoundException, this indicates that the task failed on a new WebSphere Application Server and WebSphere Portal installation so that the PDPerm.properties file was not found. Recovery is covered in the next step. Here is the error message in detail: 

        Wrappered Exception:
java.security.PrivilegedActionException: java.io.FileNotFoundException: 

     C:\WebSphere\AppServer\java\jre\PdPerm.properties 

     (The system cannot find the path specified)     

[
HPDJA0108E   Invalid argument: Null configuration URL.
]

  3. If the validate-pdadmin-connection task succeeded, skip to the next step. If the task failed because the file PDPerm.properties was not found, do the following:

    1. Edit the portal_server_root/config/wpconfig.properties file and enter the appropriate values in the Advanced Security Configuration section of the file. Do not change any settings other than those specified in these steps.

      Input Description
      PDAdminId User ID for the administrative TAM user.
      PDAdminPw Password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.
      PDServerName Unique application name used to create a new Tivoli server in the Access Manager Policy Server. This server represents the WebSphere Portal JVM in the pdadmin server list command.

      If a server with the same name appears in the server list command, the SvrSslCfg command will fail.

      SvrSslCfgPort Configuration port for the application name.
      SvrSslCfgMode Configuration mode of the SvrSslCfg command.
      TamHost Defines the TAM Policy Server used when running PDJrteCfg.
      PDPolicyServerList Defines a hostname, port, and priority combinations for the TAM Policy servers used when running SvrSslCfg.
      PDAuthzServerList Defines a hostname, port, and priority combination for the TAM authorization servers.
      PDKeyPath Stores encryption keys used for the SSL communication between AMJRTE and TAM.

    2. Save the file.

    3. Execuite...

      If the configuration task fails, validate the values in the wpconfig.properties file.

    4. Re-run the validate-pdadmin-connection task after the run-svrssl-config task completes successfully.

  4. Enable the TAI, authorization, and set up the Credential Vault adapter.

    1. Edit...

      portal_server_root/config/wpconfig.properties

      ...file and enter the appropriate values in the Advanced Security Configuration section of the file:

      Input Description
      EACserverName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the TAM namespace.

      If set, EACcellName and EACappname must also be set.

      EACcellName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the TAM namespace.

      If set, EACserverName and EACappname must also be set.

      EACappName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the TAM namespace.

      If set, EACcellName and EACservername must also be set.

      reorderRoles (Optional) This field will allow us to either have the externalized Portal rolenames displayed with the resource type first, or the role types first.
      PDAdminId User ID for the administrative TAM user.
      PDAdminPw Password for the administrative TAM user.
      PDPermPath The location of the TAM AMJRTE properties file.
      TamHost Defines the TAM Policy Server used when running PDJrteCfg.
      JunctionType The type of junction to be created in TAM. Accepted values are tcp and ssl.
      JunctionPoint The WebSEAL junction point to the WebSphere Portal installation.
      WebSealInstance Specifies the WebSEAL installation used to create the junction.
      TAICreds The headers inserted by WebSEAL that the TAI uses to identify the request as originating from WebSEAL.
      WebSealHost Optional parameter that sets the WebSEAL TAI's hostnames parameter.
      WebSealPort Optional parameter that sets the WebSEAL TAI's ports parameter.
      WebSealUser For tcp junctions. The reverse proxy identity used when you create a TCP junction.
      BaUserName The reverse proxy identity used when you create an SSL junction. For ssl junctions.
      BaPassword When you create an SSL junction, we can provide a password to the identity representing the reverse proxy on every request. For ssl junctions.
      PDRoot Root objectspace entry in the TAM namespace. All Portal roles will be installed under this objectspace entry. If you will be using TAM for multiple portal profiles, choose a unique name for each root objectspace entry to distinguish one entry from another portal profile entry.
      PDAction Custom Action created by the TAM external authorization plugin. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized Portal roles.
      PDActionGroup Custom Action group created by the TAM external authorization plugin. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized Portal roles.

      TAM accommodates a maximum of 30 custom action groups.

      PDCreateAcl Setting to determine whether the portal can automatically create and attach a TAM ACL when Portal externalizes a role.
      vaultType New vault type identifier representing the Tivoli GSO lockbox vault.
      vaultProperties Defines a properties file to be used to configure the vault with TAM specific user and SSL connection information.
      manageResources Determines if the portal credential vault or any custom portlet is allowed to create new resource objects in TAM.
      readOnly Determines if the portal credential vault or any custom portlet is allowed to modify the secrets stored in TAM.
      WpsHostName The fully-qualified URL to WebSphere Portal.
      WpsHostPort The port number used to access the host machine identified by the WpsHostName property.

    2. Save the file.

    3. Run the following to create and populate...

      portal_server_root/shared/app/config/accessmanagervault.properties:

      If the configuration task fails, validate values in wpconfig.properties

  5. (Optional) Enabling user provisioning

  6. Use the steps in the links provided below to verify that the enable-tam-all task was successfully completed:

 

Related information

 

Parent Topic

Using TAM with WebSphere Portal