If you have Tivoli® Access Manager WebSEAL and you want to use it with Business Space, you must complete several additional configuration steps.
If you want to use Tivoli Access Manager WebSEAL with Business Space, you must configure Tivoli Access Manager security with an external Java™ Authorization Contract for Containers (JACC) provider, configure WebSEAL with Tivoli Access Manager, configure WebSEAL with your product application server, and configure host junctions for your environment.
Name | Description |
---|---|
Primary administrative user name | The user ID in the registry that has administrative privileges |
Server user Id | Enter the same user ID that you entered for the administrator DN on Tivoli Access Manager settings. Example: user1 |
Server user password | puser1 |
Host | LDAP configured with Tivoli Access Manager |
Port | Example: 389 |
Base DN | Example: o=ibm, c=us |
Bind DN | Example: cn=SecurityMaster,secAuthority=Default |
Bind pwd | password for SecurityMaster user |
Name | Value |
---|---|
Client listening port set | The default setting is 8900 - 8999. Change it only if you want to use different ports. |
Policy server (name:port) | Specify your policyserver:port. Example: windomain3.rtp.raleigh.ibm.com:7135 |
Authorization servers and priority (name:port:priority) | Specify your authorizationserver:port:priority. Example: windomain3.rtp.raleigh.ibm.com:7136:1 |
Administrator user name | Leave the user name as sec_master (default), unless you use a different admin name on the Tivoli Access Manager server. |
Administrator user password | domino123 |
User registry distinguished name suffix | Type the name that you want to use for your application server. Example: o=ibm,c=us |
Security domain | Leave the Security domain set to Default. Change this setting if you are not using the default domain on the Tivoli Access Manager server. Change this setting if you have multiple domains created on the Tivoli Access Manager server and you want to connect or use a domain other than Default. |
Administrator user distinguished name | Type the fully qualified name of the user. Example: cn=user1,o=ibm,c=us Note: This
user is the same as the Server user ID configured
in the LDAP user registry panel.
|
The server contacts the Tivoli Access Manager server and creates several properties files under the application server. This process might take a few minutes. If an error occurs, look in system Out and correct the problem.
Jacl example:
$AdminTask configureTAM -interactive
Jython example:
AdminTask.configureTAM('-interactive')
Then type the following information:Name | Value |
---|---|
node name for your product server | Specify a single node or enter an asterisk (*) to choose all nodes. |
Tivoli Access Manager Policy Server | Type the name of the Tivoli Access Manager policy server and the connection port. Use the format, policy_server:port. The policy server communication port is set at the time of Tivoli Access Manager configuration. The default port is 7135. |
Tivoli Access Manager Authorization Server | Type the name of the Tivoli Access Manager authorization server. Use the format auth_server:port:priority. The authorization server communication port is set at the time of Tivoli Access Manager configuration. The default port is 7136. You can specify more than one authorization server by separating the entries with commas. Having more than one authorization server configured is useful for failover and performance. The priority value is the order of authorization server use. For example: auth_server1:7136:1,auth_server2:7137:2. A priority of 1 is still required when configuring against a single authorization server. |
administrator distinguished name for your product server | Type the full distinguished name of the security administrator ID for your product server. For example: cn=wasadmin,o=organization,c=country. For more information, see the related link. |
Tivoli Access Manager user registry distinguished name suffix | For example: o=organization, c=country |
Tivoli Access Manager administrator user name | Type the Tivoli Access Manager administration user ID, as created at the time of Tivoli Access Manager configuration. This ID is typically sec_master. |
Tivoli Access Manager administrator user password | Type the password for the Tivoli Access Manager administrator. |
Tivoli Access Manager security domain | Type the name of the Tivoli Access Manager security domain that is used to store users and groups. If a security domain is not already established at the time of Tivoli Access Manager configuration, click Return to accept the default. |
Embedded Tivoli Access Manager listening port set | The product server listens on a TCP/IP port for authorization database updates from the policy server. Because more than one process can run on a particular node and machine, a list of ports is required for the processes. Specify the ports that are used as listening ports by Tivoli Access Manager clients, separated by a comma. If you specify a range of ports, separate the lower and higher values by a colon. For example, 7999, 9990:9999. |
Defer | Set to yes, this option defers the configuration of the management server until the next restart. Set to no, configuration of the management server occurs immediately. Managed servers are configured on their next restart. |
wsadmin>$AdminTask configureTAM -interactive Configure embedded Tivoli Access Manager This command configures embedded Tivoli Access Manager on the WebSphere Application Server node or nodes specified. WebSphere Application Server Node Name (nodeName): * *Tivoli Access Manager Policy Server (policySvr): windomain3.rtp.raleigh.ibm.com:7135 *Tivoli Access Manager Authorization Servers (authSvrs): windomain3.rtp.raleigh.ibm.com:7136:1 *WebSphere Application Server administrator's distinguished name (wasAdminDN): cn=was61admin,o=ibm,c=us *Tivoli Access Manager user registry distinguished name suffix (dnSuffix): o=ibm,c=us Tivoli Access Manager administrator's user name (adminUid): [sec_master] *Tivoli Access Manager administrator's user password (adminPasswd): domino123 Tivoli Access Manager security domain (secDomain): [Default] Embedded Tivoli Access Manager listening port set (portSet): [9900:9999] Defer (defer): [no] Configure embedded Tivoli Access Manager F (Finish) C (Cancel) Select [F, C]: [F] F WASX7278I: Generated command line: $AdminTask configureTAM {-policySvr windomain3.rtp.raleigh.ibm.com:7135 -authSvrs windomain3.rtp.raleigh.ibm.com:7136:1 -wasAdminDN cn=wa Embedded Tivoli Access Manager configuration action parameters saved successfully. Restart all WebSphere Application Server instances running on the target node or nodes to wsadmin>
For TAI++
server task webseald-server create -t tcp -b supply -c iv_creds
-h host_name -p websphere_app_port_number junction_name
pdadmin -a sec_master -p domino123
pdadmin sec_master> user create -gsouser -no-password-policy taiuser "cn=taiuser,ou=websphere,o=ibm,c=us" taiuser taiuser ptaiuser
pdadmin sec_master> user modify taiuser password-valid yes
pdadmin sec_master> user modify taiuser account-valid yes
basicauth-dummy-passwd=webseal_userid_passwd
For example, if you set the taiuser/ptaiuser in Tivoli Access Manager, set the following parameter:basicauth-dummy-passwd = ptaiuser
If you are using a form-based authentication, set the following parameters:
forms-auth=both
ba-auth=none
Name | Value |
---|---|
com.ibm.websphere.security.webseal.configURL | ${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties |
com.ibm.websphere.security.webseal.id | iv-creds |
com.ibm.websphere.security.webseal.loginId | taiuser (if the user taiuser/ptaiuser was created in the Tivoli Access Manager) |
For Business Space to run as expected, both ssl and tcp entries must be created for the type of transport. When you need both Secure Sockets Layer (SSL) and Transmission Control Protocol (TCP) to be supported in the same virtual host junction, you must us the -g vhost_label option, where vhost_label is the original virtual host label to share configuration. This option finds a previously created virtual host junction (one created earlier, where the virtual_host_label matches the label provided in the -g option), and will share that configuration. The second entry still needs its own virtual_host_label, but it can share the target host, port, and other values. If you do not provide this -g option, a second virtual host cannot be created because WebSEAL will see the target host and port as being identical to a previously create junction (which is not allowed).
For example, type: server task webseald-default create -t tcp -x -h monServer.ibm.com /BusinessSpace.
[preserve-cookie-names]
name = com.ibm.bspace.UserName
name = com.ibm.wbimonitor.UserName