Deploying applications that have security constraints (secured
applications) is not much different than deploying applications that
do not contain any security constraints. The only difference is that
you might need to assign users and groups to roles for a secured application.
The secured application requires that you have the correct active
user registry.
Before you begin
Before you perform this task, verify that you already designed,
developed, and assembled an application with all the relevant security
configurations. For more information on these tasks refer to
Developing applications that use programmatic security and
Securing applications during assembly and deployment. In this context, deploying
and installing an application are considered the same task.
To deploy
a newly secured application click
Applications > Install New
Application and follow the prompts to complete the installation
steps. One of the required steps to deploy secured applications is
to assign users and groups to roles that are defined in the application.
- If you are installing a secured application, roles will be defined
in the application.
- If delegation is required in the application, you will be defining
RunAs roles also.
During the installation of a new application, the role
definition is completed as part of the step that maps security roles
to users and groups. If this assignment has already been completed
by using an assembly tool, you can still confirm the mapping by following
this installation step. You can add new users and groups and modify
existing information during this step.
If the application supports
delegation, a RunAs role will already be defined in the application.
If the delegation policy is set to Specified Identity during
assembly, the intermediary invokes a method by using an identity setup
during deployment. Use the RunAs role to specify the identity under
which the downstream invocations are made. For example, if the RunAs
role is assigned user bob and the client alice is
invoking a servlet, with delegation set that calls the enterprise
beans, the method on the enterprise beans is invoked with bob as
the identity.
As part of the new application installation and
deployment process, one of the steps is to map or modify users to
the RunAs roles. Use this step to assign new users or modify existing
users to RunAs roles when the delegation policy is set to Specified
Identity.
Important: When Tivoli® Access Manager (TAM) is enabled the
deployment and undeployment of applications might take a long time
or even time out. Disabling the ATCCache might resolve the issue.
The ATCCache exists to help with performance during application deployment
and undeployment. With some applications, especially those with many
modules, the cache can actually have a negative impact on performance
in these areas. To disable the ATCCache, navigate to the config/cells/cell_name directory
and modify the amwas.amjacc.template.properties file
to set com.tivoli.pd.as.atcc.ATCCache.enabled=false. Because embedded
TAM is already configured, update the configuration files with that
property. For each instance in the cell, go to the profiles/<profile_name>/etc/tam directory
and modify any file ends as amjacc.properties to
set com.tivoli.pd.as.atcc.ATCCache.enabled=false. The cell must be
restarted before these changes take effect.
About this task
Note that the steps are common whether you are installing
an application or modifying an existing application.
To install
and deploy the application, complete the following steps.