Use this task to configure Tivoli® Access
Manager as the Java Authorization
Contract for Containers (JACC) provider using the administrative console.
About this task
The following configuration is performed on the management
server.
When you click either Apply or OK, configuration information
is checked for consistency, saved, and applied if successful.
To
configure Tivoli Access
Manager as the JACC provider using the administrative console, complete
the
following steps:
Procedure
- Start the WebSphere® Application Server administrative
console
by clicking http://yourhost.domain:port_number/ibm/console after
starting WebSphere Application
Server. If security is currently disabled, log in with
any user
ID. If security is currently enabled, log in with a predefined administrative
ID and password. This ID is typically the server user ID that is specified
when you configure the user registry.
- Click Security > Global security > External authorization
providers.
- Under General properties, select External authorization
using
a JACC provider.
- Under Related items, click External
JACC provider.
- Under Additional properties,
click Tivoli Access Manager Properties.
The Tivoli Access
Manager JACC provider configuration screen is displayed.
- Enter the following information:
- Enable embedded Tivoli Access Manager
- Select
this option to enable Tivoli Access Manager.
- Ignore errors during embedded Tivoli Access
Manager disablement
- Select this option when you want to unconfigure
the JACC provider. Do
not select this option during configuration.
- Client
listening port set
- WebSphere Application
Server must listen using a TCP/IP port for authorization database
updates
from the policy server. More than one process can run on a particular
node
or machine. More than one authorization server can be specified by
separating
the entries with commas. Specifying more than one authorization server
at
a time is useful for reasons of failover and performance. Enter the
listening
ports used by Tivoli Access
Manager clients, separated by a comma. If a range of ports is specified,
separate
the lower and higher values by a colon (:) (for example, 7999,
9990:999).
- Policy server
- Enter
the name of the Tivoli Access Manager policy server and the
connection
port. Use the policy_server:port form. The policy communication
port
is set at the time of the Tivoli Access Manager configuration,
and the default
is 7135.
- Authorization servers
- Enter
the name of the Tivoli Access Manager authorization server.
Use the auth_server:port:priority form.
The authorization server communication port is set at the time of
the Tivoli Access
Manager configuration, and the default is 7136. The priority value
is determined
by the order of the authorization server use (for example, auth_server1:7136:1 and auth_server2:7137:2).
A priority value of 1 is required when configuring against
a single
authorization server.
- Administrator user
name
- Enter the Tivoli Access
Manager administrator user name that was created when Tivoli Access
Manager was configured;
it is usually sec_master.
- Administrator
user password
- Enter the Tivoli Access
Manager administrator password.
- User registry
distinguished name suffix
- Enter the distinguished name suffix
for the user registry that is shared
between Tivoli Access
Manager and WebSphere Application
Server, for example, o=ibm, c=us.
- Security
domain
- You can create more than one security domain in Tivoli Access
Manager, each with its
own administrative user. Users, groups and other objects are created
within
a specific domain, and are not permitted to access resource in another
domain.
Enter the name of the Tivoli Access Manager security
domain that is used
to store WebSphere Application
Server users and groups.
If a security domain is not established
at the
time of the Tivoli Access
Manager configuration, leave the value as Default.
- Administrator user distinguished name
- Enter
the full distinguished name of the WebSphere Application
Server security
administrator ID (for example, cn=wasdmin, o=organization, c=country).
The ID name must match the Server user ID on the Lightweight Directory
Access
Protocol (LDAP) User Registry panel in the administrative console.
To access
the LDAP User Registry panel, click Security > Global security.
Under User account repository, choose Standalone LDAP registry as
the available realm definition. Then click Configure.
- When all information is entered,
click OK to save the configuration
properties. The configuration parameters are checked for validity
and the
configuration is attempted at the host server or cell manager.
Results
After you click
OK, WebSphere Application
Server completes
the following actions:
- Validates the configuration parameters.
- Configures the host server or cell manager.
These processes
might take some time depending on network traffic or
the speed of your machine.
What to do next
If the configuration is
successful, the parameters are copied to
all subordinate servers, including the node agents. To complete the
embedded Tivoli Access
Manager client configuration, you must restart all of the servers,
including
the host server, and enable WebSphere Application Server
security.