Configure Tivoli Access Manager for authentication, authorization, and the Credential Vault

Configure Tivoli Access Manager for authentication, authorization, and the Credential Vault

To configure authentication, authorization, and the vault adapter:
In a clustered environment, perform the following steps on only one node.

Validate that AMJRTE properties exist:
cd profile_root/ConfigEngine
./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password

If this task fails, run run-svrssl-config to create the properties file.
Attempt the validate-pdadmin-connection task again. If this task still fails, do not proceed any further. It indicates that portal can not connect to the TAM server and subsequent tasks will fail.
Edit...
profile_root/ConfigEngine/properties/wkplc_comp.properties

Enter the following...

wp.ac.impl.EACserverName Namespace context information to further distinguish externalized portal role names from other role names in the namespace.
If set, wp.ac.impl.EACcellName and wp.ac.impl.EACappname must also be set.
wp.ac.impl.EACcellName Namespace context information to further distinguish externalized portal role names from other role names in the namespace.
If set, wp.ac.impl.EACserverName and wp.ac.impl.EACappname must also be set.
wp.ac.impl.EACappname Namespace context information to further distinguish externalized portal role names from other role names in the namespace.
If set, wp.ac.impl.EACcellName and wp.ac.impl.EACservername must also be set.
wp.ac.impl.reorderRoles False to keep the role order or true to reorder the roles by resource type first.
wp.ac.impl.TamHost Tivoli Access Manager Policy Server used when running PDJrteCfg.
wp.ac.impl.JunctionType tcp or ssl to define the type of junction to be created in TAM.
wp.ac.impl.JunctionPoint WebSEAL junction point to the WebSphere Portal installation.
This parameter must begin with the / character.
wp.ac.impl.WebSealInstance WebSEAL installation used to create the junction.
wp.ac.impl.TAICreds Headers inserted by WebSEAL that the TAI uses to identify the request as originating from WebSEAL.
wp.ac.impl.JunctionHost Backend server host name to supply to the junction create command.
wp.ac.impl.JunctionPort Backend server port to supply to the junction create command.
wp.ac.impl.hostnames Optional Host name that sets the WebSEAL TAI's host name parameter.
wp.ac.impl.ports Optional Port used to set the WebSEAL TAI's ports parameter.
wp.ac.impl.loginId Reverse proxy identity used when you create a TCP junction.
wp.ac.impl.BaUserName Reverse proxy identity used when you create an SSL junction.
wp.ac.impl.BaPassword Password for the wp.ac.impl.BaUserName.
wp.ac.impl.PDRoot Root objectspace entry in the TAM namespace.
All Portal roles will be installed under this objectspace entry. If you will be using TAM for multiple profiles, choose a unique name for each root objectspace entry to easily distinguish one entry from another profile entry.
wp.ac.impl.PDAction Custom Action created by the TAM external authorization plug-in. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized portal roles.
wp.ac.impl.PDActionGroup Custom Action group created by the TAM external authorization plug-in. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized portal roles.
wp.ac.impl.PDCreateAcl True to automatically create and attach a TAM ACL when WebSphere Portal externalizes a role or false to not create and attach a TAM ACL when WebSphere Portal externalizes a role.
wp.ac.impl.vaultType New vault type identifier representing the Tivoli GSO lockbox vault.
wp.ac.impl.vaultProperties File to used to configure the vault with TAM specific user and SSL connection information.
wp.ac.impl.manageResources True if the credential vault or any custom portlets are allowed to create new resource objects in TAM or type false to allow only the TAM administrator to define the accessible resources to associate users with from the command line or graphical user interface.
wp.ac.impl.readOnly True to allow credential vault or any custom portlets to modify the secrets stored in TAM or false to allow only the TAM administrator to modify the secrets from the command line or graphical user interface.

Save changes to wkplc_comp.properties.

Run the following validation task:
cd profile_root/ConfigEngine
./ConfigEngine.sh enable-tam-all -DWasPassword=password

If this is a clustered environment, WasPassword is the Deployment Manager administrative password.
If the configuration task fails, validate the values in wkplc_comp.properties.
Optional: Enable user provisioning
Stop and start the server1 and WebSphere_Portal servers...
cd profile_root/bin
./stopServer.sh server1 -username admin_userid -password admin_password
./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password
./startServer.sh server1
./startServer.sh WebSphere_Portal

Parent topic:
Configure TAM

Related tasks

Creating the AMJRTE properties file

wp.ac.impl.EACserverName	Namespace context information to further distinguish externalized portal role names from other role names in the namespace. If set, wp.ac.impl.EACcellName and wp.ac.impl.EACappname must also be set.
wp.ac.impl.EACcellName	Namespace context information to further distinguish externalized portal role names from other role names in the namespace. If set, wp.ac.impl.EACserverName and wp.ac.impl.EACappname must also be set.
wp.ac.impl.EACappname	Namespace context information to further distinguish externalized portal role names from other role names in the namespace. If set, wp.ac.impl.EACcellName and wp.ac.impl.EACservername must also be set.
wp.ac.impl.reorderRoles	False to keep the role order or true to reorder the roles by resource type first.
wp.ac.impl.TamHost	Tivoli Access Manager Policy Server used when running PDJrteCfg.
wp.ac.impl.JunctionType	tcp or ssl to define the type of junction to be created in TAM.
wp.ac.impl.JunctionPoint	WebSEAL junction point to the WebSphere Portal installation. This parameter must begin with the / character.
wp.ac.impl.WebSealInstance	WebSEAL installation used to create the junction.
wp.ac.impl.TAICreds	Headers inserted by WebSEAL that the TAI uses to identify the request as originating from WebSEAL.
wp.ac.impl.JunctionHost	Backend server host name to supply to the junction create command.
wp.ac.impl.JunctionPort	Backend server port to supply to the junction create command.
wp.ac.impl.hostnames	Optional Host name that sets the WebSEAL TAI's host name parameter.
wp.ac.impl.ports	Optional Port used to set the WebSEAL TAI's ports parameter.
wp.ac.impl.loginId	Reverse proxy identity used when you create a TCP junction.
wp.ac.impl.BaUserName	Reverse proxy identity used when you create an SSL junction.
wp.ac.impl.BaPassword	Password for the wp.ac.impl.BaUserName.
wp.ac.impl.PDRoot	Root objectspace entry in the TAM namespace. All Portal roles will be installed under this objectspace entry. If you will be using TAM for multiple profiles, choose a unique name for each root objectspace entry to easily distinguish one entry from another profile entry.
wp.ac.impl.PDAction	Custom Action created by the TAM external authorization plug-in. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized portal roles.
wp.ac.impl.PDActionGroup	Custom Action group created by the TAM external authorization plug-in. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized portal roles.
wp.ac.impl.PDCreateAcl	True to automatically create and attach a TAM ACL when WebSphere Portal externalizes a role or false to not create and attach a TAM ACL when WebSphere Portal externalizes a role.
wp.ac.impl.vaultType	New vault type identifier representing the Tivoli GSO lockbox vault.
wp.ac.impl.vaultProperties	File to used to configure the vault with TAM specific user and SSL connection information.
wp.ac.impl.manageResources	True if the credential vault or any custom portlets are allowed to create new resource objects in TAM or type false to allow only the TAM administrator to define the accessible resources to associate users with from the command line or graphical user interface.
wp.ac.impl.readOnly	True to allow credential vault or any custom portlets to modify the secrets stored in TAM or false to allow only the TAM administrator to modify the secrets from the command line or graphical user interface.