Configure Tivoli Access Manager to perform authorization

You can configure IBM Tivoli Access Manager to perform authorization as an independent task from configuring Tivoli Access Manager to perform authentication, but configure both tasks. Using Tivoli Access Manager to perform only authorization is not supported.

Perform the steps in Configure Tivoli Access Manager to perform authentication only before configuring Tivoli Access Manager to perform authorization.

There are additional considerations when you are setting up security to use an external security manager in a cluster environment and across mixed nodes. For instance, it is recommended that you perform any configuration for an external security manager after completing all other configuration tasks, including ensuring that the cluster is functional.

Configure Tivoli Access Manager to perform authorization:

  1. Validate that the AMJRTE properties exists:

      cd WP_PROFILE/ConfigEngine
      ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo

    Complete this step on all nodes.
    If the task does not run successfully: Run run-svrssl-config to create the properties file, see Create the AMJRTE properties file, then run the validate-pdadmin-connection task again. If the task is not successful after a second attempt, do not perform any subsequent steps in this topic. The fact that the task does not run successfully indicates that the portal cannot connect to the Tivoli Access Manager server.

  2. Enter only the following parameters in wkplc_comp.properties under the Namespace management parameters heading:

    1. For wp.ac.impl.EACserverName, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

        If set, wp.ac.impl.EACcellName and wp.ac.impl.EACappname must also be set.

    2. For wp.ac.impl.EACcellName, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

        If set, wp.ac.impl.EACserverName and wp.ac.impl.EACappname must also be set.

    3. For wp.ac.impl.EACappname, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

        If set, wp.ac.impl.EACcellName and wp.ac.impl.EACservername must also be set.

    4. For wp.ac.impl.reorderRoles, type false to keep the role order or true to reorder the roles by resource type first.

      Clustered: Complete this step on all nodes.

  3. Enter only the following parameters in wkplc_comp.properties under the Portal authorization parameters heading:

    1. For wp.ac.impl.PDRoot, type the root objectspace entry in the Tivoli Access Manager namespace. All Portal roles will be installed under this objectspace entry. If you will be using Tivoli Access Manager for multiple profiles, choose a unique name for each root objectspace entry to distinguish one entry from another profile entry.

    2. For wp.ac.impl.PDAction, type the Custom Action created by the Tivoli Access Manager external authorization plug-in. The combination of the action group and the action determines the Tivoli Access Manager permission string required to assign membership to externalized portal roles.

    3. For wp.ac.impl.PDActionGroup, type the Custom Action group created by the Tivoli Access Manager external authorization plug-in. The combination of the action group and the action determines the Tivoli Access Manager permission string required to assign membership to externalized portal roles.

    4. For wp.ac.impl.PDCreateAcl, type true to automatically create and attach a Tivoli Access Manager ACL when WebSphere Portal externalizes a role or false to not create and attach a Tivoli Access Manager ACL when WebSphere Portal externalizes a role.

      Clustered: Complete this step on all nodes.

  4. Save changes to the properties file.

  5. Run the following validation task:

    Validation tasks by OS

    OS Task
    Windows ConfigEngine.bat enable-tam-authorization -DWasPassword=foo from the WP_PROFILE/ConfigEngine
    UNIX ./ConfigEngine.sh enable-tam-authorization -DWasPassword=foo from the WP_PROFILE/ConfigEngine
    i ConfigEngine.sh enable-tam-authorization -DWasPassword=foo from the WP_PROFILE/ConfigEngine

      Complete this step on all nodes.


    If the task does not run successfully: Ensure the values in wkplc_comp.properties are valid.

  6. Stop and restart the appropriate servers to propagate the changes.

After you complete the following authorization procedure, the Tivoli Access Manager protected object space contains entries for roles in the following format: $PORTAL_HOME/role_name/application_name/server_name/cell_name; for example: $PORTAL_HOME/Administrator@VIRTUAL_EXTERNAL_ACCESS_CONTROL/app/server/cell.


Parent

Configure Tivoli Access Manager


Related tasks


Start and stop servers, dmgrs, and node agents


Create the AMJRTE properties file

 


+

Search Tips   |   Advanced Search