Why and when to perform this task
Create a new application login that uses the Tivoli Access Manager GSO database to store the login credentials by following these steps:Steps for this task
Module class name: com.tivoli.pdwas.gso.AMPrincipalMapper
Use Login Module Proxy: enable
Authentication strategy: REQUIRED
The Tivoli Access Manager principal mapping module uses the authDataAlias configuration string to retrieve the correct user name and password from the security configuration.
The scenario to use is determined by a JAAS configuration option. The details of these options are presented here:
Name: com.tivoli.pd.as.gso.AliasContainsUserName
Value: True, if the alias contains the user name; false, if the user name must be retrieved from the security context.
When entering authDataAlias attributes through the WebSphere Application Server administrative console, the node name is automatically pre-pended to the alias. The JAAS configuration entry determines whether this node name is removed or included as part of the resource name.
Name: com.tivoli.pd.as.gso.AliasContainsNodeName
Value: True, if the alias contains the node name.
Enter each new parameter using the following scenario information as a guide.
Name = com.tivoli.pd.as.gso.AMCfgURL
Value = file:///path to PdPerm.properties
Scenario 1
Auth Data Alias - BackendEIS/eisUser
Resource - BackEndEIS
User - eisUser
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | true |
com.tivoli.pd.as.gso.AliasContainsNodeName | false |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
Scenario 2
Auth Data Alias - BackendEIS
Resource - BackEndEIS
User - Currently authenticated WebSphere Application Server user
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | false |
com.tivoli.pd.as.gso.AliasContainsNodeName | false |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
Scenario 3
Auth Data Alias - nodename/BackendEIS/eisUser
Resource - BackEndEIS
User - eisUser
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | true |
com.tivoli.pd.as.gso.AliasContainsNodeName | true |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
Scenario 4
Auth Data Alias - nodename/BackendEIS/eisUser
Resource - nodename/BackEndEIS (notice that node name is not removed)
User - eisUser
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | true |
com.tivoli.pd.as.gso.AliasContainsNodeName | false |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
Scenario 5
Auth Data Alias - BackendEIS/eisUser
Resource - BackEndEIS
User - eisUser
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | false |
com.tivoli.pd.as.gso.AliasContainsNodeName | true |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
Scenario 6
Auth Data Alias - nodename/BackendEIS/eisUser
Resource - nodename/BackendEIS/eisUser (notice that the resource is the same as Auth Data Alias).
User - Currently authenticated WebSphere Application Server user
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | false |
com.tivoli.pd.as.gso.AliasContainsNodeName | false |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
You now need to create the J2C authentication aliases. The user name and password that are assigned to these alias entries are irrelevant because Tivoli Access Manager is responsible for providing user names and passwords. However, the user name and password that are assigned to the J2C authentication aliases need to exist so that they can be selected for the J2C connection factory in the administrative console.
To create the J2C authentication aliases, from the WebSphere Application Server administrative console, click Security >Global security. Under JAAS Configuration > J2C Authentication Data, click New for each entry. Refer to the previous table for scenario inputs.
The resource adapter does not need to be packaged with the application; can be stand-alone. For such a scenario the resource adapter is configured from Resources > Resource Adapters.
Configuring custom mapping on connection factory is deprecated in WebSphere Application Server Version 6. To configure the GSO credential mapping, it is recommended that you use the Map Resource References to Resources panel on the administrative console. For more information, refer to J2EE connector security.
Related concepts
Global signon principal mapping