+

Search Tips   |   Advanced Search


Configure Tivoli Access Manager to perform authorization

You can configure IBM Tivoli Access Manager to perform authorization as an independent task from configuring Tivoli Access Manager to perform authentication, but configure both tasks. Using Tivoli Access Manager to perform only authorization is not supported. Perform the steps in Configure Tivoli Access Manager to perform authentication only before configuring Tivoli Access Manager to perform authorization.

There are additional considerations when you are setting up security to use an external security manager in a cluster environment and across mixed nodes. For instance, it is recommended that you perform any configuration for an external security manager after you have completed all other configuration tasks, including ensuring that the cluster is functional. Configure Tivoli Access Manager to perform authorization:

In a clustered environment, perform the following steps on all nodes.

  1. Run...

      following validation

    to validate that the AMJRTE properties exists:

    Option Description
    Windows ConfigEngine.bat validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the profile_root/ConfigEngine directory
    UNIX ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the profile_root/ConfigEngine directory
    i5/OS ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDdAdminPwd=password from the profile_root/ConfigEngine directory.

    If this task fails, run the run-svrssl-config task to create the properties file; see "Creating the AMJRTE properties file" for information about running this task. Please attempt the validate-pdadmin-connection task again. If this task still fails, do not proceed any further. It indicates that portal can not connect to the TAM server and subsequent tasks will fail.

  2. Enter only the following parameters in the wkplc_comp.properties file under the Namespace management parameters heading:

    1. For wp.ac.impl.EACserverName, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

      If set, wp.ac.impl.EACcellName and wp.ac.impl.EACappname must also be set.

    2. For wp.ac.impl.EACcellName, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

      If set, wp.ac.impl.EACserverName and wp.ac.impl.EACappname must also be set.

    3. For wp.ac.impl.EACappname, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

      If set, wp.ac.impl.EACcellName and wp.ac.impl.EACservername must also be set.

    4. For wp.ac.impl.reorderRoles, type false to keep the role order or true to reorder the roles by resource type first.

  3. Enter only the following parameters in the wkplc_comp.properties file under the Portal authorization parameters heading:

    1. For wp.ac.impl.PDRoot, type the root objectspace entry in the Tivoli Access Manager namespace. All Portal roles will be installed under this objectspace entry. If you will be using Tivoli Access Manager for multiple profiles, choose a unique name for each root objectspace entry to easily distinguish one entry from another profile entry.

    2. For wp.ac.impl.PDAction, type the Custom Action created by the Tivoli Access Manager external authorization plug-in. The combination of the action group and the action determines the Tivoli Access Manager permission string required to assign membership to externalized portal roles.

    3. For wp.ac.impl.PDActionGroup, type the Custom Action group created by the Tivoli Access Manager external authorization plug-in. The combination of the action group and the action determines the Tivoli Access Manager permission string required to assign membership to externalized portal roles.

    4. For wp.ac.impl.PDCreateAcl, type true to automatically create and attach a Tivoli Access Manager ACL when WebSphere Portal externalizes a role or false to not create and attach a Tivoli Access Manager ACL when WebSphere Portal externalizes a role.

  4. Save changes to the wkplc_comp.properties file.

  5. Run...

      following validation

    :

    Option Description
    Windows ConfigEngine.bat enable-tam-authorization -DWasPassword=password from the profile_root/ConfigEngine directory.
    UNIX ./ConfigEngine.sh enable-tam-authorization -DWasPassword=password from the profile_root/ConfigEngine directory.
    i5/OS ConfigEngine.sh enable-tam-authorization -DWasPassword=password from the profile_root/ConfigEngine directory.

    In a clustered environment, WasPassword is the Deployment Manager administrative password.

    If the configuration task fails, validate the values in the wkplc_comp.properties file.

  6. To stop and restart the server1 and WebSphere_Portal servers, where server1 is the name of the WAS and WebSphere_Portal is the name of the WebSphere Portal server:

    1. Open a command prompt and change to the following directory:

      • Windows: profile_root\bin

      • UNIX: profile_root/bin

      • i5/OS: profile_root/bin

    2. Enter the following command to stop the WAS:

      • Windows: stopServer.bat server1 -username admin_userid -password admin_password

      • UNIX: ./stopServer.sh server1 -username admin_userid -password admin_password

      • i5/OS: stopServer server1 -username admin_userid -password admin_password

    3. Enter the following command to stop the WebSphere_Portal server, where WebSphere_Portal is the name of the WebSphere Portal server:

      • Windows: stopServer.bat WebSphere_Portal -username admin_userid -password admin_password

      • UNIX: ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password

      • i5/OS: stopServer WebSphere_Portal -username admin_userid -password admin_password

    4. Enter the following command to start the WAS:

      • Windows: startServer.bat server1

      • UNIX: ./startServer.sh server1

      • i5/OS: startServer server1

    5. Enter the following command to start the WebSphere_Portal server, where WebSphere_Portal is the name of the WebSphere Portal server:

      • Windows: startServer.bat WebSphere_Portal

      • UNIX: ./startServer.sh WebSphere_Portal

      • i5/OS: startServer WebSphere_Portal

After you complete the following authorization procedure, the Tivoli Access Manager protected object space contains entries for roles in the following format: PortalServer_root/role_name/appname/server_name/cell_name; for example: PortalServer_root/Administrator@VIRTUAL_EXTERNAL_ACCESS_CONTROL/app/server/cell.


Parent topic:

Configure Tivoli Access Manager


Related tasks


Creating the AMJRTE properties file