Configure Tivoli Access Manager for authentication, authorization, and the Credential Vault

1. Install and configure WebSphere Portal, the database, and the user registry.

2. Start the TAM policy and authorization servers.

3. Install and configure WebSEAL.

4. Optional: Create an SSL junction using LTPA authentication on the WebSEAL node:

   1. Open a pdadmin command prompt from any node that has a TAM run time component installed. This can be done on the TAM Server node, WebSEAL node, or the node.

   2. Run...
      server task WebSEAL-instance_name -webseald-WebSEAL-HostName virtualhost create -t type -h hostname [options] vhost-label

      Where...

      vhost-label	Name for the virtual host junction. Virtual host junctions are always mounted at the root of the WebSEAL object space (Web Portal Manager). We can refer to a junction in the pdadmin utility using this label. Must be unique within each instance of WebSEAL. Must not contain a /.
      -t type	Whether the junction is encrypted (-t ssl) or not encrypted (-t tcp). Required when creating a virtual host junction.
      -h hostname	Back end server to which the junction connects. In most situations, the host name is the HTTP server that sits in front of WebSphere Portal. Required when creating a virtual host junction.

      Options include the following parameters:

      -p port	Port number for the back end server to which the junction connects. If not specified, the default value is 80 for HTTP or 443 for HTTPS.
      -v vhost_name[:port]	Virtual host name and port number that defines the junction. WebSEAL maps incoming requests to this host name and port to this junction. If not specified, the values default to the -h hostname and -p port values.
      -c credential-generation	Generate the credential information
      -A	Enable LTPA cookies
      -F key file	Full path name location on the WebSEAL server of the key file used to encrypt the shared key that is originally created on the WAS server and copied securely to the WebSEAL server. Verify the automatic LTPA Key generation is disabled.
      -Z keyfile-password	Password required to open the key file.

5. To use an SSL junction, see the related links and follow the instructions in steps 1 through 3 of the topic about setting up SSL.

6. To use the Web application bridge integration feature, use an SSL junction:

   1. Use the IBM Key Management utility to load the web server certificate into the keyring for the appropriate instance of WebSEAL.

   2. Restart WebSEAL.

7. Create the trusted user account:

   The trusted user account in the TAM user registry must be the same as the one WAS is configured to use. .

   To prevent potential vulnerabilities, do not use the sec_master or wpsadmin users for the trusted user account. The trusted user account must be for the TAI only.

   1. pdadmin> user create webseal_useridwebseal_userid_DNfirstnamesurnamepassword
      

   2. pdadmin> user modify webseal_userid account-valid yes
      

8. Validate that the AMJRTE properties exists:

   Operating system	Task
   Windows	ConfigEngine.bat validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo
   AIX SolarisLinux	./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo
   IBM i	ConfigEngine.sh validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDdAdminPwd=foo

   Clustered environments:

   • Complete this step on all nodes.
   • WasPassword is the dmgr administrative password.

   If the task does not run successfully: Run run-svrssl-config to create the properties file, see Create the AMJRTE properties file, then run validate-pdadmin-connection again. If the task is not successful after a second attempt, do not perform any subsequent steps in this topic. The face that the task does not run successfully indicates that the portal cannot connect to the Tivoli Access Manager server.

9. Edit wkplc_comp.properties
   WP_PROFILE/ConfigEngine/properties

   Clustered environments: Complete this step on all nodes.

10. Enter only the following parameters in wkplc_comp.properties under the Namespace management parameters heading:

    Cluster note: The following parameters must match on all nodes in the clustered environment.

    1. For wp.ac.impl.EACserverName, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

       If set, wp.ac.impl.EACcellName and wp.ac.impl.EACappname must also be set.

    2. For wp.ac.impl.EACcellName, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

       If set, wp.ac.impl.EACserverName and wp.ac.impl.EACappname must also be set.

    3. For wp.ac.impl.EACappname, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

       If set, wp.ac.impl.EACcellName and wp.ac.impl.EACservername must also be set.

    4. For wp.ac.impl.reorderRoles, type false to keep the role order or true to reorder the roles by resource type first.

    Clustered environments: Complete this step on all nodes.

11. For wp.ac.impl.TamHost under the SvrSslCfg command parameter heading in wkplc_comp.properties, type the Tivoli Access Manager Policy Server used when running PDJrteCfg.

    Clustered environments: Complete this step on all nodes.

12. Enter the following parameter in wkplc_comp.properties under the WebSEAL junction parameters heading:

    Cluster note: The following parameters must match on all nodes in the clustered environment.

    1. For wp.ac.impl.TAICreds, type the headers inserted by WebSEAthat the TAI uses to identify the request as originating from WebSEAL.

    Clustered environments: Complete this step on all nodes.

13. Enter only the following parameters in wkplc_comp.properties under the WAS WebSEAL TAI parameters heading:

    Clustered environments: Complete this step on all nodes.

    Cluster note: The following parameters must match on all nodes in the clustered environment.

    1. Optional: For wp.ac.impl.hostnames, type the host name that sets the WebSEAL TAI's host name parameter.

    2. Optional: For wp.ac.impl.ports, type the port used to set the WebSEAL TAI's ports parameter.

    3. For wp.ac.impl.loginId, type the reverse proxy identity used when created a TCP junction.

       Specify a user ID: The user ID we specify must be an existing user in the LDAP directory that WAS security can authenticate. The user ID must also be registered and validated in Tivoli Access Manager. WebSEAL requires this user ID to authenticate with WAS security.

14. Enter only the following parameters in wkplc_comp.properties under the Portal authorization parameters heading:

    Clustered environments: Complete this step on all nodes.

    Cluster note: The following parameters must match on all nodes in the clustered environment.

    1. For wp.ac.impl.PDRoot, type the root objectspace entry in the Tivoli Access Manager namespace. All Portal roles will be installed under this objectspace entry. If you will be using Tivoli Access Manager for multiple profiles, choose a unique name for each root objectspace entry to easily distinguish one entry from another profile entry.

    2. For wp.ac.impl.PDAction, type the Custom Action created by the Tivoli Access Manager external authorization plug-in. The combination of the action group and the action determines the Tivoli Access Manager permission string required to assign membership to externalized portal roles.

    3. For wp.ac.impl.PDActionGroup, type the Custom Action group created by the Tivoli Access Manager external authorization plug-in. The combination of the action group and the action determines the Tivoli Access Manager permission string required to assign membership to externalized portal roles.

    4. For wp.ac.impl.PDCreateAcl, type true to automatically create and attach a Tivoli Access Manager ACL when WebSphere Portal externalizes a role or false to not create and attach a Tivoli Access Manager ACL when WebSphere Portal externalizes a role.

15. Enter only the following parameters in wkplc_comp.properties under the Portal vault parameters heading:

    Clustered environments: Complete this step on all nodes.

    Cluster note: The following parameters must match on all nodes in the clustered environment.

    1. For wp.ac.impl.vaultType, type the new vault type identifier representing the Tivoli GSO lockbox vault.

    2. For wp.ac.impl.vaultProperties, type the file to used to configure the vault with Tivoli Access Manager specific user and SSL connection information.

    3. For wp.ac.impl.manageResources, type true if the credential vault or any custom portlets are allowed to create new resource objects in Tivoli Access Manager or type false to allow only the Tivoli Access Manager administrator to define the accessible resources to associate users with from the command line or GUI.

    4. For wp.ac.impl.readOnly, type true to allow credential vault or any custom portlets to modify the secrets stored in Tivoli Access Manager or false to allow only the Tivoli Access Manager administrator to modify the secrets from the command line or GUI.

16. Save your changes to the properties file.
    

17. The new recommended TAI implementation version is only available as a download and needs to be added to the system.

    See the related links section to download the Extended Tivoli Access Manager Trust Association Interceptor Plus (ETAI) and add the binaries to the environment. WAS deprecated the TAI implementation that is available with WebSphere Portal. If use the deprecated TAI implementation:

    1. Open wkplc_comp.properties.

    2. Add the TAMTAIName parameter to the WAS WebSEAL TAI section.

    3. Enter com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus as the value.

18. Run the following task to enable Tivoli Access Manager authentication, authorization task and the credential vault:

    • ./ConfigEngine.sh enable-tam-all -DWasPassword=foo from the WP_PROFILE/ConfigEngine

    Clustered environments:

    • Complete this step on all nodes.
    • WasPassword is the dmgr administrative password.

    If the task does not run successfully: Ensure the values you specified in wkplc_comp.properties are valid.

19. Optional: Go to Enable user provisioning to enable user provisioning.

20. If we are using Tivoli Access Manager in a stand-alone environment that does not include a Web server:

    1. Log on to the WAS admin console.

    2. Go to Servers > Server Types > Web appservers > WebSphere_Portal > Web container settings > Web Container and then click Custom properties under the Additional Properties section.

    3. Click New and add the com.ibm.ws.webcontainer.extracthostheaderport custom property with a value of true.

    4. Click OK.

    5. Click New and add the trusthostheaderport custom property with a value of true.

    6. Click OK.

    7. Click Save to save the changes.

    8. Log out of the WAS admin console.

21. Stop and restart servers, dmgrs, and node agents.

22. If you created a TCP junction in the previous steps, go to the WebSEAL machine and edit the webseald-instance.conf file for the appropriate WebSEAL instance. An example is webseald-default.conf. This sets the basicauth-dummy-passwd value to the password for the Ithat WebSEAL uses to identify itself to WAS. This user ID and password were created in an earlier step. Stop and start the WebSEAL server before continuing.

23. The length of the generated URLs might cause problems if the WebSEAL instance is on the Windows platform. Edit the webseald-instance.conf file and change the process-root-requests property value to filter to avoid problems with WebSEAL processing.

24. Some functions of WebSphere Portal require the use of the PUT, and DELETE HTTP method. By default, WebSEAL does not allow these requests. You must either allow this method at the applicable WebSEAL ACL and web server, or change the HTTP methods in the x-method-override configuration.

Parent: Configure Tivoli Access Manager for non-z/OS operating systems
Related:
Migration consideration for Tivoli Access Manager integration
Related:
Set up SSL
Enable user provisioning
Related reference:
Switch for tunneling of HTTP methods
Related:

Extended Tivoli Access Manager Trust Association Interceptor Plus (ETAI)

Tivoli Access Manager for e-business
Create the AMJRTE properties file