WebSphere

Configuring Tivoli Access Manager WebSEAL to work with Business Space

If you have Tivoli® Access Manager WebSEAL and you want to use it with Business Space, you must complete several additional configuration steps.

About this task

If you want to use Tivoli Access Manager WebSEAL with Business Space, you must configure Tivoli Access Manager security with an external Java™ Authorization Contract for Containers (JACC) provider, configure WebSEAL with Tivoli Access Manager, configure WebSEAL with your product application server, and configure host junctions for your environment.

Before you begin

Topic scope: This topic applies to the following products:
  • WebSphere Business Monitor
  • WebSphere Enterprise Service Bus
  • WebSphere Process Server
Procedure
  1. Configure Tivoli Access Manager with JACC.
    1. Complete one of the following steps, depending on whether you want to use the administrative console or the wsadmin commands.
      • If you want to use the administrative console to configure Tivoli Access Manager with JACC, complete the following steps:
        1. Enable Global Security.
          1. Select Security > Secure administration, applications, and infrastructure.
          2. Enable Administrative security, Application security, and Java 2 security with the LDAP server with which Tivoli Access Manager is configured.
          3. In the User account repository section, select Standalone LDAP registry from the Available realm definitions list and click Configure.
          4. Enter the following information, select the type of LDAP server you are using, and then click OK.
            Name Description
            Primary administrative user name The user ID in the registry that has administrative privileges
            Server user Id Enter the same user ID that you entered for the administrator DN on Tivoli Access Manager settings. Example: user1
            Server user password puser1
            Host LDAP configured with Tivoli Access Manager
            Port Example: 389
            Base DN Example: o=ibm, c=us
            Bind DN Example: cn=SecurityMaster,secAuthority=Default
            Bind pwd password for SecurityMaster user
          5. Ensure that Standalone LDAP registry is selected in the Available realm definitions list, and click Set as current.
          6. Click Apply, save the configuration, and restart the server.
        2. Enable external authorization with Tivoli Access Manager and JACC.
          1. Select Security > Secure administration, applications, and infrastructure > External authorization providers.
          2. Under General Properties, select External authorization using a JACC provider and click the External JACC provider link under Related Items. The default properties for Tivoli Access Manager are correct. For default values, do not change.
          3. Under Additional Properties, select Tivoli Access Manager properties. Select Enable embedded Tivoli Access Manager, enter the following information, and then click OK.
            Name Value
            Client listening port set The default setting is 8900 - 8999. Change it only if you want to use different ports.
            Policy server (name:port) Specify your policyserver:port. Example: windomain3.rtp.raleigh.ibm.com:7135
            Authorization servers and priority (name:port:priority) Specify your authorizationserver:port:priority. Example: windomain3.rtp.raleigh.ibm.com:7136:1
            Administrator user name Leave the user name as sec_master (default), unless you use a different admin name on the Tivoli Access Manager server.
            Administrator user password domino123
            User registry distinguished name suffix Type the name that you want to use for your application server. Example: o=ibm,c=us
            Security domain Leave the Security domain set to Default. Change this setting if you are not using the default domain on the Tivoli Access Manager server. Change this setting if you have multiple domains created on the Tivoli Access Manager server and you want to connect or use a domain other than Default.
            Administrator user distinguished name Type the fully qualified name of the user. Example: cn=user1,o=ibm,c=us
            Note: This user is the same as the Server user ID configured in the LDAP user registry panel.

            The server contacts the Tivoli Access Manager server and creates several properties files under the application server. This process might take a few minutes. If an error occurs, look in system Out and correct the problem.

      • If you want to use the wsadmin utility to configure Tivoli Access Manager with JACC, complete the following steps. Perform the following procedure once on the deployment manager server. The configuration parameters are forwarded to managed servers, including node agents, when a synchronization is performed. The managed servers require their own restart for the configuration changes to take effect.
        1. Verify that all the managed servers, including node agents, are started.
        2. Start the server.
        3. Start the command-line utility by running the wsadmin command from the install_root/bin directory.
        4. At the wsadmin prompt, run the configureTAM command, including the appropriate information from the following table:

          Jacl example:

          $AdminTask configureTAM -interactive

          Jython example:

          AdminTask.configureTAM('-interactive')

          Then type the following information:
          Name Value
          node name for your product server Specify a single node or enter an asterisk (*) to choose all nodes.
          Tivoli Access Manager Policy Server Type the name of the Tivoli Access Manager policy server and the connection port. Use the format, policy_server:port. The policy server communication port is set at the time of Tivoli Access Manager configuration. The default port is 7135.
          Tivoli Access Manager Authorization Server Type the name of the Tivoli Access Manager authorization server. Use the format auth_server:port:priority. The authorization server communication port is set at the time of Tivoli Access Manager configuration. The default port is 7136. You can specify more than one authorization server by separating the entries with commas. Having more than one authorization server configured is useful for failover and performance. The priority value is the order of authorization server use. For example: auth_server1:7136:1,auth_server2:7137:2. A priority of 1 is still required when configuring against a single authorization server.
          administrator distinguished name for your product server Type the full distinguished name of the security administrator ID for your product server. For example: cn=wasadmin,o=organization,c=country. For more information, see the related link.
          Tivoli Access Manager user registry distinguished name suffix For example: o=organization, c=country
          Tivoli Access Manager administrator user name Type the Tivoli Access Manager administration user ID, as created at the time of Tivoli Access Manager configuration. This ID is typically sec_master.
          Tivoli Access Manager administrator user password Type the password for the Tivoli Access Manager administrator.
          Tivoli Access Manager security domain Type the name of the Tivoli Access Manager security domain that is used to store users and groups. If a security domain is not already established at the time of Tivoli Access Manager configuration, click Return to accept the default.
          Embedded Tivoli Access Manager listening port set The product server listens on a TCP/IP port for authorization database updates from the policy server. Because more than one process can run on a particular node and machine, a list of ports is required for the processes. Specify the ports that are used as listening ports by Tivoli Access Manager clients, separated by a comma. If you specify a range of ports, separate the lower and higher values by a colon. For example, 7999, 9990:9999.
          Defer Set to yes, this option defers the configuration of the management server until the next restart. Set to no, configuration of the management server occurs immediately. Managed servers are configured on their next restart.
        5. After you enter all the required information, select F to save the configuration properties or C to cancel from the configuration process and discard the entered information.
          Example with SVTM TAM60 server:
          wsadmin>$AdminTask configureTAM -interactive
          Configure embedded Tivoli Access Manager
          
          This command configures embedded Tivoli Access Manager on the WebSphere 
          Application Server node or nodes specified.
          
          WebSphere Application Server Node Name (nodeName): *
          *Tivoli Access Manager Policy Server (policySvr):
           windomain3.rtp.raleigh.ibm.com:7135
          *Tivoli Access Manager Authorization Servers (authSvrs):
           windomain3.rtp.raleigh.ibm.com:7136:1
          *WebSphere Application Server administrator's distinguished name (wasAdminDN):
           cn=was61admin,o=ibm,c=us
          *Tivoli Access Manager user registry distinguished name suffix (dnSuffix): 
          o=ibm,c=us
          Tivoli Access Manager administrator's user name (adminUid):
           [sec_master]
          *Tivoli Access Manager administrator's user password (adminPasswd):
           domino123
          Tivoli Access Manager security domain (secDomain): [Default]
          Embedded Tivoli Access Manager listening port set (portSet): [9900:9999]
          Defer (defer): [no]
          
          Configure embedded Tivoli Access Manager
          
          F (Finish)
          C (Cancel)
          
          Select [F, C]: [F] F
          WASX7278I: Generated command line: $AdminTask configureTAM {-policySvr
           windomain3.rtp.raleigh.ibm.com:7135 -authSvrs
           windomain3.rtp.raleigh.ibm.com:7136:1 -wasAdminDN cn=wa
          Embedded Tivoli Access Manager configuration action parameters saved successfully.
           Restart all WebSphere Application Server instances running on the target node or
           nodes to
          wsadmin>
        6. In the administrative console, select Security > Secure administration, applications, and infrastructure > External authorization providers. Then select External authorization using a JACC provider, and click OK.
        7. Go to the main security screen and click OK. Save and synchronize your changes.
        8. Restart all processes in your cell.
    2. If you installed applications before you enabled Tivoli Access Manager (for example, you enabled LDAP security and installed some secured applications and mapped users and groups to security roles), propagate the security roles mapping information from the deployment descriptors to the Tivoli Access Manager policy server. To use the propagatePolicyToJACCProvider wsadmin command, see Propagating security policy of installed applications to a JACC provider using wsadmin scripting.
  2. Configure WebSEAL with Tivoli Access Manager.
    1. Ensure that WebSEAL is installed and configured properly.
    2. Create the junction between WebSEAL and your product application server using the -c iv_creds option for TAI++ and -c iv_user for TAI. Enter either of the following commands as one line, using the variables that are appropriate for your environment:

      For TAI++

      server task webseald-server create -t tcp -b supply -c iv_creds

      -h host_name -p websphere_app_port_number junction_name

    3. To create a trusted user account in Tivoli Access Manager, which can be used for configuring TAI, issue the following commands:

      pdadmin -a sec_master -p domino123

      pdadmin sec_master> user create -gsouser -no-password-policy taiuser "cn=taiuser,ou=websphere,o=ibm,c=us" taiuser taiuser ptaiuser

      pdadmin sec_master> user modify taiuser password-valid yes

      pdadmin sec_master> user modify taiuser account-valid yes

    4. In the WebSEAL configuration file webseal_install_directory/etc/webseald-default.conf, set the following parameter:

      basicauth-dummy-passwd=webseal_userid_passwd

      For example, if you set the taiuser/ptaiuser in Tivoli Access Manager, set the following parameter:basicauth-dummy-passwd = ptaiuser

      If you are using a form-based authentication, set the following parameters:

      forms-auth=both

      ba-auth=none

  3. Configure WebSEAL with your product application server by enabling the TAI++ interceptor on the server.
    1. In the administrative console, select Security > Secure administration, applications, and infrastructure.
    2. Expand Web security under the Authentication section, and select Trust Association. Select the Enable trust association check box and click Apply.
    3. Select Interceptors and click on the iInterceptor class name for com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus. Then select Custom Properties and add the following properties:
      Name Value
      com.ibm.websphere.security.webseal.configURL ${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties
      com.ibm.websphere.security.webseal.id iv-creds
      com.ibm.websphere.security.webseal.loginId taiuser (if the user taiuser/ptaiuser was created in the Tivoli Access Manager)
    4. Restart the cell.
    5. To access the client, go to https://webseal_server_name:webseal_port/junction name/web_uri_for_client.
  4. Configure the host junctions for your environment, so that the Business Space widgets appear. Complete one of the following steps, depending on whether you are using virtual host junctions or transparent host junctions.
    • If you are using virtual host junctions, create a virtual host junction. A virtual host junction eliminates the need to create separate junctions.
      1. Make sure that a virtual host has been configured. Virtual host junctions match a host and port number and forward addresses to the target host. No URL filtering occurs, and all requests that match are forwarded to the target host.
      2. Make sure that the following applications are available to the same virtual host. You may have some or all of the applications, based on which products you are using with Business Space.
        • BPMAdministrationWidgets_nodename_servername (for WebSphere® Enterprise Service Bus and WebSphere Process Server)
        • BusinessSpaceHelpEAR_nodename_servername (for all products)
        • BSpaceEAR_nodename_servername (for all products)
        • BSpaceWebformsEnabler_nodename_servername (for all products)
        • HumanTaskManagementWidgets_nodename_servername (for WebSphere Process Server and WebSphere Business Monitor)
        • REST Services Gateway (for all products)
        • REST Services Gateway Dmgr (for WebSphere Enterprise Service Bus and WebSphere Process Server)
        • mm.was_nodename_servername (for all products)
        • WBMDashboardWeb_nodename_servername (for WebSphere Business Monitor)
        • wesbWidgets_nodename_servername (for WebSphere Enterprise Service Bus)
        • widgets_busleader_nodename_servername (for WebSphere Business Compass)
        • widgets_pubserver_nodename_servername (for WebSphere Business Compass)
        • widgets_fabric_nodename_servername (for WebSphere Business Services Fabric)
        Note: This list of applications covers only the applications required by Business Space. You might need to add other applications to the list for non-Business Space scenarios using Tivoli Access Manager WebSEAL.
      3. Run the following command using pdadmin: server task webseal server virtualhost create -t transport -h target_host [-p port] [-v virtual_host_name] virtual_host_label
        Use the following information:
        • webseal server is the name of the WebSEAL server where you will create the virtual host entry.
        • transport is the type of transport. Valid entries are tcp, ssl, tcpproxy, and sslproxy.
        • target_host is the host of the required application.
        • virtual_host_name is used to match HTTP requests to a virtual host junction. If no value is entered, it is made up of the target host and port by default. For example, if you set the virtual_host_name to myvirthost.ibm.com:80, WebSEAL matches the URLs containing myvirthost.ibm.com:80 and routes it to the host provided in the pdadmin command.
        • virtual_host_label is the label used to identify the entry in WebSEAL. It must be unique.

        For Business Space to run as expected, both ssl and tcp entries must be created for the type of transport. When you need both Secure Sockets Layer (SSL) and Transmission Control Protocol (TCP) to be supported in the same virtual host junction, you must us the -g vhost_label option, where vhost_label is the original virtual host label to share configuration. This option finds a previously created virtual host junction (one created earlier, where the virtual_host_label matches the label provided in the -g option), and will share that configuration. The second entry still needs its own virtual_host_label, but it can share the target host, port, and other values. If you do not provide this -g option, a second virtual host cannot be created because WebSEAL will see the target host and port as being identical to a previously create junction (which is not allowed).

    • If you are using transparent host junctions, create a series of transparent path junctions for the widgets for each product.
      1. Run the following command using pdadmin: server task webseal server create -t transport type (ssl) or (tcp) -x -h hostname path

        For example, type: server task webseald-default create -t tcp -x -h monServer.ibm.com /BusinessSpace.

      2. Create the following context roots for your product: Mapping Business Space URLs for a reverse proxy server.
  5. Complete additional configuration steps to resolve issues with browser cookies and virtual hosts.
    1. To resolve renaming of the Business Space cookie, add the following content to the WebSEAL configuration file:

      [preserve-cookie-names]

      name = com.ibm.bspace.UserName

      name = com.ibm.wbimonitor.UserName

    2. Optional: If you are using non-default virtual hosts with a context root, you might encounter issues with Business Space pages. You might need to stop the junction from rewriting the JavaScript™ on the Business Space pages by adding the -j junction to the context root. Run the following command: server task default-webseald create -f -h hostname -p portnumber -t tcp -b supply -c iv-user,iv-creds,iv-groups -x -s -j -J trailer/root context

task Task topic

Terms of use | Feedback


Timestamp icon Last updated: 22 June 2010


http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/topic/com.ibm.websphere.wbpm.bspace.config.620.doc/doc/tcfg_bsp_tamwebseal.html
Copyright IBM Corporation 2005, 2010. All Rights Reserved.
This information center is powered by Eclipse technology (http://www.eclipse.org).