Configure TAM for authentication, authorization, and the Credential Vault

Configure TAM for authentication, authorization, and the Credential Vault

Overview

For clustered environments, complete each step in this task on ALL nodes.
Install WebSphere Portal, database, and user registry.

Start the Tivoli Access Manager policy and authorization servers.

Install and configure WebSEAL.
Create an SSL junction using LTPA authentication on the WebSEAL node (Optional):
Open a pdadmin command prompt from any node that has a TAM Runtime component installed, including:

TAM Server node
WebSEAL node
WebSphere Portal node

.and enter the server task...
   WebSEAL-Instance-webseald-WebSEAL-HostName create \
          -t ssl \
          -b filter \
          -A \
          -F LTPA-Keys-Path \
          -Z LTPA-Password \
          -h Target-Host \
          -c all /Junction-Name 
.where...

-A Enable LTPA cookies.
-F Path on WebSEAL server to the key file used to encrypt the shared key originally created on the WAS server and copied securely to the WebSEAL server. Disable automatic LTPA Key generation.
-Z Keyfile-password option and argument specifies the password required to open the key file.
If required, set up an SSL junction

To use an SSL junction:

Use the IBM Key Management utility to load the Web server certificate into the keyring for the appropriate instance of WebSEAL.

Restart WebSEAL.

Create the trusted user account in the TAM user registry
This is the ID and password that WebSEAL uses to identify itself to WAS. To prevent potential vulnerabilities, do not use the sec_master or wpsadmin users for the trusted user account. The trusted user account should be for the TAI only.
pdadmin> user create webseal_useridwebseal_userid_DNfirstnamesurnamepassword
pdadmin> user modify webseal_userid account-valid yes

On all nodes, validate that the AMJRTE properties exists:
WP_PROFILE/ConfigEngine
./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo

If the task does not run successfully: Run run-svrssl-config to create the properties file, then run the validate-pdadmin-connection task again. If the task is not successful after a second attempt, do not perform any subsequent steps in this topic. The fact that the task does not run successfully indicates that the portal cannot connect to the TAM server.

On all nodes, edit...
WP_PROFILE/ConfigEngine/properties/wkplc_comp.properties

.set Namespace management parameters...

wp.ac.impl.EACserverName Namespace context information to further distinguish externalized portal role names from other role names in the namespace. If set, wp.ac.impl.EACcellName and wp.ac.impl.EACappname must also be set.
wp.ac.impl.EACcellName Namespace context information to further distinguish externalized portal role names from other role names in the namespace. If set, wp.ac.impl.EACserverName and wp.ac.impl.EACappname must also be set.
wp.ac.impl.EACappname Namespace context information to further distinguish externalized portal role names from other role names in the namespace. If set, wp.ac.impl.EACcellName and wp.ac.impl.EACservername must also be set.
wp.ac.impl.reorderRoles Set false to keep role order or true to reorder the roles by resource type first.
wp.ac.impl.TamHost TAM Policy Server used when running PDJrteCfg.

On all nodes, in wkplc_comp.properties, set WebSEAL junction parameters:

wp.ac.impl.JunctionType tcp or ssl to define the type of junction to be created in TAM.
wp.ac.impl.JunctionPoint The WebSEAL junction point to the WebSphere Portal installation. Must begin with the / character.
wp.ac.impl.WebSealInstance The WebSEAL installation used to create the junction.
wp.ac.impl.TAICreds The headers inserted by WebSEAL that the TAI uses to identify the request as originating from WebSEAL.
wp.ac.impl.JunctionHost The backend server host name to supply to the junction create command.
wp.ac.impl.JunctionPort The backend server port to supply to the junction create command.

On all nodes, in wkplc_comp.properties, set WAS WebSEAL TAI parameters:

wp.ac.impl.hostnames Host name that sets the WebSEAL TAI's host name parameter. Optional.
wp.ac.impl.ports Port used to set the WebSEAL TAI's ports parameter. Optional.
wp.ac.impl.loginId Reverse proxy identity used when you create a TCP junction. The user ID you specify must be an existing user in the LDAP directory that WAS security can authenticate. The user ID must also be registered and validated in TAM. WebSEAL requires this user ID to authenticate with WAS security.
wp.ac.impl.BaUserName Reverse proxy identity used when you create an SSL junction. The user ID you specify must be an existing user in the LDAP directory that WAS security can authenticate. The user ID must also be registered and validated in TAM. WebSEAL requires this user ID to authenticate with WAS security.
wp.ac.impl.BaPassword Password for the wp.ac.impl.BaUserName.

On all nodes, in wkplc_comp.properties, set Portal authorization parameters:

wp.ac.impl.PDRoot Root objectspace entry in the TAM namespace. All Portal roles will be installed under this objectspace entry. For TAM with multiple profiles, choose a unique name for each root objectspace.
wp.ac.impl.PDAction Custom Action created by the TAM external authorization plug-in. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized portal roles.
wp.ac.impl.PDActionGroup Custom Action group created by the TAM external authorization plug-in. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized portal roles.
wp.ac.impl.PDCreateAcl Set true to automatically create and attach a TAM ACL when WebSphere Portal externalizes a role. Set false to not create and attach a TAM ACL when WebSphere Portal externalizes a role.

On all nodes, in wkplc_comp.properties, set Portal vault parameters:

wp.ac.impl.vaultType Set the new vault type identifier representing the Tivoli GSO lockbox vault.
wp.ac.impl.vaultProperties Set the file used to configure the vault with TAM specific user and SSL connection information.
wp.ac.impl.manageResources Set true if the credential vault or any custom portlets are allowed to create new resource objects in TAM or set false to allow only the TAM administrator to define the accessible resources to associate users with from the command line or graphical user interface.
wp.ac.impl.readOnly Set true to allow credential vault or any custom portlets to modify the secrets stored in TAM
Set false to allow only the TAM administrator to modify the secrets from the command line or graphical user interface.

Save changes

On all nodes, validate...

cd WP_PROFILE/ConfigEngine

./ConfigEngine.sh enable-tam-all -DWasPassword=foo

If the task does not run successfully: Ensure the values you specified in wkplc_comp.properties are valid.

Enable user provisioning (Optional)

Stop and restart the appropriate servers to propagate the changes.

If you created a TCP junction in the previous steps, go to the WebSEAL machine and edit webseald-instance.conf for the appropriate WebSEAL instance. An example is webseald-default.conf. This sets the basicauth-dummy-passwd value to the password for the ID that WebSEAL uses to identify itself to WAS. This user ID and password were created in an earlier step. Stop and start the WebSEAL server before continuing.

The length of the generated URLs may cause problems if WebSEAL instance is on the Windows platform. Edit the webseald-instance.conf file and change the process-root-requests property value to filter to avoid problems with WebSEAL processing.
Parent
Configure TAM
Create the AMJRTE properties file

+
Search Tips | Advanced Search

-A	Enable LTPA cookies.
-F	Path on WebSEAL server to the key file used to encrypt the shared key originally created on the WAS server and copied securely to the WebSEAL server. Disable automatic LTPA Key generation.
-Z	Keyfile-password option and argument specifies the password required to open the key file.

wp.ac.impl.EACserverName	Namespace context information to further distinguish externalized portal role names from other role names in the namespace. If set, wp.ac.impl.EACcellName and wp.ac.impl.EACappname must also be set.
wp.ac.impl.EACcellName	Namespace context information to further distinguish externalized portal role names from other role names in the namespace. If set, wp.ac.impl.EACserverName and wp.ac.impl.EACappname must also be set.
wp.ac.impl.EACappname	Namespace context information to further distinguish externalized portal role names from other role names in the namespace. If set, wp.ac.impl.EACcellName and wp.ac.impl.EACservername must also be set.
wp.ac.impl.reorderRoles	Set false to keep role order or true to reorder the roles by resource type first.
wp.ac.impl.TamHost	TAM Policy Server used when running PDJrteCfg.

wp.ac.impl.JunctionType	tcp or ssl to define the type of junction to be created in TAM.
wp.ac.impl.JunctionPoint	The WebSEAL junction point to the WebSphere Portal installation. Must begin with the / character.
wp.ac.impl.WebSealInstance	The WebSEAL installation used to create the junction.
wp.ac.impl.TAICreds	The headers inserted by WebSEAL that the TAI uses to identify the request as originating from WebSEAL.
wp.ac.impl.JunctionHost	The backend server host name to supply to the junction create command.
wp.ac.impl.JunctionPort	The backend server port to supply to the junction create command.

wp.ac.impl.hostnames	Host name that sets the WebSEAL TAI's host name parameter. Optional.
wp.ac.impl.ports	Port used to set the WebSEAL TAI's ports parameter. Optional.
wp.ac.impl.loginId	Reverse proxy identity used when you create a TCP junction. The user ID you specify must be an existing user in the LDAP directory that WAS security can authenticate. The user ID must also be registered and validated in TAM. WebSEAL requires this user ID to authenticate with WAS security.
wp.ac.impl.BaUserName	Reverse proxy identity used when you create an SSL junction. The user ID you specify must be an existing user in the LDAP directory that WAS security can authenticate. The user ID must also be registered and validated in TAM. WebSEAL requires this user ID to authenticate with WAS security.
wp.ac.impl.BaPassword	Password for the wp.ac.impl.BaUserName.

wp.ac.impl.PDRoot	Root objectspace entry in the TAM namespace. All Portal roles will be installed under this objectspace entry. For TAM with multiple profiles, choose a unique name for each root objectspace.
wp.ac.impl.PDAction	Custom Action created by the TAM external authorization plug-in. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized portal roles.
wp.ac.impl.PDActionGroup	Custom Action group created by the TAM external authorization plug-in. The combination of the action group and the action determines the TAM permission string required to assign membership to externalized portal roles.
wp.ac.impl.PDCreateAcl	Set true to automatically create and attach a TAM ACL when WebSphere Portal externalizes a role. Set false to not create and attach a TAM ACL when WebSphere Portal externalizes a role.

wp.ac.impl.vaultType	Set the new vault type identifier representing the Tivoli GSO lockbox vault.
wp.ac.impl.vaultProperties	Set the file used to configure the vault with TAM specific user and SSL connection information.
wp.ac.impl.manageResources	Set true if the credential vault or any custom portlets are allowed to create new resource objects in TAM or set false to allow only the TAM administrator to define the accessible resources to associate users with from the command line or graphical user interface.
wp.ac.impl.readOnly	Set true to allow credential vault or any custom portlets to modify the secrets stored in TAM Set false to allow only the TAM administrator to modify the secrets from the command line or graphical user interface.