WebSphere Message Broker, Version 8.0.0.7
Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS
See information about the latest product version
See information about the latest product version
Configuring TAM for authorization using TFIM V6.1
This topic describes how to configure Tivoli® Access Manager (TAM) to enable authorization using Tivoli Federated Identity Manager (TFIM) V6.1.
To configure TAM to process an authorization request from
TFIM, complete the following steps. The examples relate to the TAM
Version 6.01 pdadmin utility:
- Check that the action group used by
the TFIM authorization module is available. The action
group used is WebService:
action group list
If WebService is not listed, create it:
action group create WebService
- Display the action in the action group
used by the TFIM authorization module. The action used
is "i":
action list WebService
If action "i" <label> 0 is not listed, create it. The value of <label> can vary:
action create i <label> 0 WebService
- Create the Access Control List (ACL) that will be used
to grant access to one or more message flows. First, create
the ACL and give the administrators access to it. In this example, iv-admin is
the administration group and sec_master is the main
administrator:
acl create <AclName> acl modify <AclName> set Group iv-admin TcmdbsvaBRxl[WebService]i acl modify <AclName> set User sec_master TcmdbsvaBRxl[WebService]i
- Grant access to all authenticated users, or specific groups,
by adding them to the ACL. Grant any authenticated identity access:
acl modify <AclName> set Any-other Trx[WebService]i
To add a specific group:
acl modify <AclName> set group <GroupName> Trx[WebService]i
- Define protected object spaces in TAM for authorization
of message flows:
- Create the application container object as
the root of the protected object space. This is the name
that is used to link an instance of a TFIM AuthorizationSTSModule
(within a module chain) into the TAM object space. The container object
name is specified to match the Web Service protected object
name parameter on a TFIM Authorization module.
objectspace create /<ContainerObjectName> <Description> 14
- Create the container objects in the tree for each broker
message flow that is being authorized. The message flow
name is used by TFIM to locate a point in the TAM Object Space tree
for Authorization, through the attached ACL. The message flow name
is passed as the PortType in the WS-Trust request
to TFIM. Use the following command to create the object tree node
representing each flow to be authorized:
object create /<ContainerObjectName>/<FlowName> <Description> 11 ispolicyattachable yes
The ispolicyattachable parameter applies to all levels, so you can attach an ACL at any level.
- Create the leaf object that represents the authorized
object to grant access to the message flow. This is the
fixed string MessageFlowAccess, which the broker
sends to TFIM through the TFIM OperationName extension
to the WS-Trust request. A fixed name (MessageFlowAccess) is used
instead of a true operation name, because the broker does not necessarily
know at the input node which operation a flow is going to perform.
The command syntax is:
object create /<ContainerObjectName>/<FlowName>/MessageFlowAccess <Description> 12 ispolicyattachable yes
where <FlowName> has been created in a previous step.
- Create the application container object as
the root of the protected object space. This is the name
that is used to link an instance of a TFIM AuthorizationSTSModule
(within a module chain) into the TAM object space. The container object
name is specified to match the Web Service protected object
name parameter on a TFIM Authorization module.
- Attach the ACL to the relevant node in the protected object
space tree. Each node in the object space inherits ACLs
from its parent, and a lower level ACL can override a higher level
one. Use the following command syntax to attach an ACL to a node in
the object space:
acl attach /<ObjectSpacePath> <AclName>
To attach an ACL to the leaf node:
acl attach /<ContainerObjectName>/<FlowName>/MessageFlowAccess <AclName>
For further information about configuring TAM, see IBM® Security Systems information centers.
Related concepts:
Related tasks: