You can create a new application login that uses the Tivoli® Access
Manager GSO database to store the login credentials.
Procedure
- Click Security > Global security.
- Under Authentication, click Java Authentication
and Authorization Service > Application logins.
- Click New to create a new Java Authentication
and Authorization Service (JAAS) login configuration.
- Enter the alias name of the new application login. Click Apply.
- Under Additional properties, click JAAS login modules to
define the JAAS Login Modules.
- Click New and enter the following information:
Module class name: com.tivoli.pdwas.gso.AMPrincipalMapper
Use Login Module Proxy: enable
Authentication strategy: REQUIRED
- Click Apply
- Under Additional Properties section, click Custom Properties to
define login module-specific values that are passed directly to the
underlying login modules.
- Click New.
The Tivoli Access
Manager principal mapping module uses the authDataAlias configuration
string to retrieve the correct user name and password from the security
configuration.
The authDataAlias attribute that is passed to
the module is configured for the J2C connection factory. Because the
authDataAlias attribute is an arbitrary string that is entered at
configuration time, the following scenarios are possible:
- The authDataAlias attribute contains both the global sign-on (GSO)
resource name and the user name. The format of this string is "Resource/User".
- The authDataAlias attribute contains the GSO Resource name only.
The user name is determined by using the Subject of the current session.
The scenario to use is determined by a JAAS configuration
option, as shown here:
- Name: com.tivoli.pd.as.gso.AliasContainsUserName
- Value: True, if the alias contains the user name; false,
if the user name must be retrieved from the security context
When entering
authDataAlias attributes through
the WebSphere® Application Server administrative
console, the node name is automatically pre-pended to the alias. The
JAAS configuration entry determines whether this node name is removed
or included as part of the resource name, as shown here:
- Name: com.tivoli.pd.as.gso.AliasContainsNodeName
- Value: True, if the alias contains the node name
Note: If the
PdPerm.properties configuration
file is not located in the
JAVA_HOME/PdPerm.properties default
location, then you also need to add the following property:
- Name: com.tivoli.pd.as.gso.AMCfgURL
- Value: file:///path to PdPerm.properties
Enter each new parameter using the following scenario
information as a guide, then click
Apply.
Scenario 1
Auth Data Alias - BackendEIS/eisUser
Resource - BackEndEIS
User - eisUser
Principal Mapping Parameters
Table 1. Principal Mapping Parameters. This table lists
the principal mapping parameters.
Name |
Value |
delegate |
com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName |
true |
com.tivoli.pd.as.gso.AliasContainsNodeName |
false |
com.tivoli.pd.as.gso.AMLoggingURL |
file:///jlog_props_path |
debug |
false |
Scenario 2
Auth Data Alias - BackendEIS
Resource - BackEndEIS
User - Currently authenticated WebSphere Application Server user
Principal Mapping Parameters
Table 2. Principal Mapping Parameters. This
table lists the principal mapping parameters.
Name |
Value |
delegate |
com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName |
false |
com.tivoli.pd.as.gso.AliasContainsNodeName |
false |
com.tivoli.pd.as.gso.AMLoggingURL |
file:///jlog_props_path |
debug |
false |
Scenario 3
Auth Data Alias - nodename/BackendEIS/eisUser
Resource - BackEndEIS
User - eisUser
Principal Mapping Parameters
Table 3. Principal Mapping Parameters. This table lists
the principal mapping parameters.
Name |
Value |
delegate |
com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName |
true |
com.tivoli.pd.as.gso.AliasContainsNodeName |
true |
com.tivoli.pd.as.gso.AMLoggingURL |
file:///jlog_props_path |
debug |
false |
Scenario 4
Auth Data Alias - nodename/BackendEIS/eisUser
Resource - nodename/BackEndEIS (notice that node name is not removed)
User - eisUser
Principal Mapping Parameters
Table 4. Principal Mapping Parameters. This table lists
the principal mapping parameters.
Name |
Value |
delegate |
com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName |
true |
com.tivoli.pd.as.gso.AliasContainsNodeName |
false |
com.tivoli.pd.as.gso.AMLoggingURL |
file:///jlog_props_path |
debug |
false |
Scenario 5
Auth Data Alias - BackendEIS/eisUser
Resource - BackEndEIS
User - eisUser
Principal Mapping Parameters
Table 5. Principal Mapping Parameters. This table lists
the principal mapping parameters.
Name |
Value |
delegate |
com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName |
false |
com.tivoli.pd.as.gso.AliasContainsNodeName |
true |
com.tivoli.pd.as.gso.AMLoggingURL |
file:///jlog_props_path |
debug |
false |
Scenario 6
Auth Data Alias - nodename/BackendEIS/eisUser
Resource - nodename/BackendEIS/eisUser
(notice that the resource is the same as Auth Data Alias).
User - Currently authenticated WebSphere Application Server user
Principal Mapping Parameters
Table 6. Principal Mapping Parameters. This table lists
the principal mapping parameters.
Name |
Value |
delegate |
com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName |
false |
com.tivoli.pd.as.gso.AliasContainsNodeName |
false |
com.tivoli.pd.as.gso.AMLoggingURL |
file:///jlog_props_path |
debug |
false |
- Create the Java 2
Connector (J2C) authentication aliases. The user name and password
that are assigned to these alias entries are irrelevant because Tivoli Access
Manager is responsible for providing user names and passwords. However,
the user name and password that are assigned to the J2C authentication
aliases need to exist so that they can be selected for the J2C connection
factory in the administrative console.
To
create the J2C authentication aliases, from the WebSphere Application
Server administrative console, click Security Global
security. Under Authentication, click Java
Authentication and Authorization Service J2C
authentication data, and then click New for
each new entry. Refer to the previous table for scenario inputs.
The
connection factories for each resource adapter that need to use the
GSO database must be configured to use the Tivoli Access
Manager Principal mapping module:
- From the WebSphere Application Server administrative
console, click Applications Enterprise
Applications application_nameResourcer
references. Note that J2C connection factories must be
already configured for the selected application. To configure a new
J2C connection factory, see the Configuring Java EE Connector connection
factories in the administrative console article.
- Under Additional properties, click Resource Adapter.
The
resource adapter can be stand-alone and does not need to be packaged
with the application. The resource adapter is configured from Resources Resource
Adapters for stand-alone scenarios.
- Under Additional properties, click J2C Connection Factories.
- Click New and enter the connection factory
properties.
- When finished, click Apply Save.
Attention:
Custom mapping configuration
for the connection factory is deprecated in WebSphere Application
Server Version 6. To configure the GSO credential mapping, use the
Map Resource References to Resources panel on the administrative console.
For more information, see the J2EE connector security article.