WebSphere Application Server - Express, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Configuring the JACC provider for Tivoli Access Manager using the administrative console

Why and when to perform this task

In a Network Deployment architecture, verify that all the managed servers, including node agents, are started. The following configuration is performed on the management server. When either Apply or OK is clicked, configuration information is checked for consistency, saved, and applied if successful. In Network Deployment environments, this configuration information is propagated to nodes when a synchronization is performed. Restart the nodes for the configuration changes to take effect.

To configure the Java Authorization Contract for Containers (JACC) provider for Tivoli Access Manager using the administrative console:

Steps for this task

  1. Click Security > Global security.
  2. Under Authorization, click Authorization Providers.
  3. Under General properties, select External authorization using a JACC provider.
  4. Under Related items, click External JACC provider.
  5. Under Additional properties, click Tivoli Access Manager Properties. The Tivoli Access Manager JACC provider configuration screen is displayed.
  6. Enter the following information:
    OptionDescription
    Enable embedded Tivoli Access Managerenable
    Ignore errors during embedded Tivoli Access Manager disablement This option is applicable only when reconfiguring an embedded Tivoli Access Manager client or when disabling an embedded Tivoli Access Manager client. When selected, errors are ignored during disablement of an embedded Tivoli Access Manager client.
    Client listening port setWebSphere Application Server needs to listen on a TCP/IP port for authorization database updates from the policy server. More than one process can run on a particular node and machine so a list of ports is required for the processes. Enter the ports that are used as listening ports by Tivoli Access Manager clients, with each entry on a new line. If you specify a range of ports, separate the lower and higher values by a colon (:), as shown in the following example:

    7999
    9990:9999

    Policy ServerEnter the name, the fully-qualified domain name, or the IP address of the Tivoli Access Manager policy server. Include the connection port. Use the form policy_server : port. The policy server communication port is set at the time of Tivoli Access Manager configuration – the default is 7135.
    Authorization ServersEnter the name, the fully-qualified domain name, or the IP address of the Tivoli Access Manager authorization server. Use the form auth_server : port : priority. The authorization server communication port is set at the time of Tivoli Access Manager configuration – the default is 7136. More than one authorization server can be specified by entering each server on a new line. Having more than one authorization server configured is useful for failover and performance. The priority value is the order of authorization server use. For example:

    auth_server1:7136:1
    auth_server2:7137:2

    A priority (of 1) is still required when configuring against a single authorization server.
    Administrator user nameEnter the Tivoli Access Manager administration user ID as created at the time of Tivoli Access Manager configuration. This ID is usually, sec_master.
    Administrator user passwordEnter the Tivoli Access Manager administration password for the user ID identified previously.
    User registry distinguished name suffix Enter the distinguished name suffix for the user registry for Tivoli Access Manager and WebSphere Application Server to share. For example: o=organization,c=country
    Security domainMore than one security domain can be created in Tivoli Access Manager with its own administrative user. Users, groups, and other objects are created within a specific domain and are not permitted to access resources in another domain. Enter the name of the Tivoli Access Manager security domain that is used to store WebSphere Application Server users and groups. If a security domain is not yet established at the time of Tivoli Access Manager configuration, leave the value as Default.
    Administrator user distinguished nameEnter the full distinguished name of the WebSphere Application Server user ID, as created for Tivoli Access Manager in Creating the security administrative user. For example, cn=wasadmin,o=organization,c=country. The name specified in this field must match the server user ID that is specified on the Lightweight Directory Access Protocol setting panel in the WebSphere Application Server administrative console. To access this panel, click Security > Global security. Under User registries, click LDAP.
  7. When all information is entered, click OK to save the configuration properties. The configuration parameters are checked for validity and the configuration is attempted at the host server or cell manager.

Result

After you click OK, WebSphere Application Server completes the following actions: These processes might take some time depending on network traffic or the speed of your machine.

What to do next

If the configuration is successful, the parameters are copied to all subordinate servers, including the node agents. To complete the embedded Tivoli Access Manager client configuration, you must restart all of the servers, including the host server, and enable WebSphere Application Server security.



Sub-topics
Tivoli Access Manager JACC provider settings

Related tasks
Creating the security administrative user

Related reference
Tivoli Access Manager JACC provider configuration

Task topic    

Terms of Use | Feedback

Last updated: Jun 8, 2005 12:45:23 PM EDT
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_config_JACC_interface_GUI.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)