Configure the JACC provider for Tivoli Access Manager

 

+

Search Tips   |   Advanced Search

 

To configure Tivoli Access Manager as the JACC provider...

  1. Verify that all managed servers, including node agents, are started

  2. Create a security administrative user.

  3. Open the WAS console for the management server...

    http://yourhost.domain:port_number/ibm/console

  4. Click...

    Security | Secure administration, applications, and infrastructure | External authorization providers | General properties | External authorization using a JACC provider | Related items | External JACC provider | Additional properties | TAM Properties

  5. On TAM JACC provider configuration screen, enter...

    Enable embedded TAM

    Select this option to enable TAM.

    Ignore errors during embedded TAM disablement

    Select this option when you want to unconfigure the JACC provider. Do not select this option during configuration.

    Client listening port set

    WAS must listen using a TCP/IP port for authorization database updates from the policy server. More than one process can run on a particular node or machine. More than one authorization server can be specified by separating the entries with commas. Specifying more than one authorization server at a time is useful for reasons of failover and performance. Enter the listening ports used by TAM clients, separated by a comma. If a range of ports is specified, separate the lower and higher values by a colon (:). For example...

    7999, 9990:999

    Policy server

    Name of the TAM policy server...

    policy_server:port

    Default port is 7135.

    Authorization servers

    Name of the TAM authorization server...

    auth_server:port:priority

    Default port is 7136.

    The priority value is determined by the order of the authorization server use. For example...

    auth_server1:7136:1
    auth_server2:7137:2

    A priority value of 1 is required when configuring against a single authorization server.

    Administrator user name

    Enter the TAM administrator user name that was created when TAM was configured; it is usually sec_master.

    Administrator user password

    Enter the TAM administrator password.

    User registry distinguished name suffix

    Enter the distinguished name suffix for the user registry that is shared between TAM and WAS, for example...

    o=ibm,c=us

    Security domain

    You can create more than one security domain in TAM, each with its own administrative user. Users, groups and other objects are created within a specific domain, and are not permitted to access resource in another domain. Enter the name of the TAM security domain that is used to store WAS users and groups.

    If a security domain is not established at the time of the TAM configuration, leave the value as Default.

    Administrator user distinguished name

    Enter the full distinguished name of the WAS security administrator ID. For example...

    cn=wasdmin,o=organization,c=country
    The ID name must match the Server user ID on the LDAP User Registry panel in the console.

    Security | Secure administration, applications, and infrastructure | User account repository | Realm Definition | Standalone LDAP registry | Configure

  • When all information is entered, click OK to save the configuration properties.

    WAS...

    These processes might take some time depending on network traffic or the speed of your machine.

  • Propagate config info to the nodes using synchronization.

    The parameters are copied to all subordinate servers, including the node agents.

  • Restart all of the servers, including the host server, and enable WAS security.

     

    What to do next

     

    Related tasks

    Disabling embedded TAM client using the administrative console
    Configure the JACC provider for TAM using the wsadmin utility
    Disabling embedded TAM client using wsadmin
    Enabling an external JACC provider