Deploying applications that have security constraints (secured
applications) is not much different than deploying applications that
do not contain any security constraints. The only difference is that
you might need to assign users and groups to roles for a secured application.
The secured application requires that you have the correct active
user registry.
Before you begin
Before you perform this task, verify that you already designed,
developed, and assembled an application with all the relevant security
configurations. For more information on these tasks refer to
Developing applications that use programmatic security and
Securing applications during assembly and deployment. In this context, deploying
and installing an application are considered the same task.
To deploy
a newly secured application click
Applications > Install New
Application and follow the prompts to complete the installation
steps. One of the required steps to deploy secured applications is
to assign users and groups to roles that are defined in the application.
- If you are installing a secured application, roles will be defined
in the application.
- If delegation is required in the application, you will be defining
RunAs roles also.
During the installation of a new application, the role
definition is completed as part of the step that maps security roles
to users and groups. If this assignment has already been completed
by using an assembly tool, you can still confirm the mapping by following
this installation step. You can add new users and groups and modify
existing information during this step.
If the application supports
delegation, a RunAs role will already be defined in the application.
If the delegation policy is set to Specified Identity during
assembly, the intermediary invokes a method by using an identity setup
during deployment. Use the RunAs role to specify the identity under
which the downstream invocations are made. For example, if the RunAs
role is assigned user bob and the client alice is
invoking a servlet, with delegation set that calls the enterprise
beans, the method on the enterprise beans is invoked with bob as
the identity.
As part of the new application installation and
deployment process, one of the steps is to map or modify users to
the RunAs roles. Use this step to assign new users or modify existing
users to RunAs roles when the delegation policy is set to Specified
Identity.
Important: When Tivoli® Access Manager (TAM) is enabled the
deployment and undeployment of applications might take a long time
or even time out. Disabling the ATCCache might resolve the issue.
The ATCCache exists to help with performance during application deployment
and undeployment. With some applications, especially those with many
modules, the cache can actually have a negative impact on performance
in these areas. To disable the ATCCache, navigate to the config/cells/cell_name directory
and modify the amwas.amjacc.template.properties file
to set com.tivoli.pd.as.atcc.ATCCache.enabled=false. Because embedded
TAM is already configured, update the configuration files with that
property. For each instance in the cell, go to the profiles/<profile_name>/etc/tam directory
and modify any file ends as amjacc.properties to
set com.tivoli.pd.as.atcc.ATCCache.enabled=false. The cell must be
restarted before these changes take effect.
About this task
Note that the steps are common whether you are installing
an application or modifying an existing application.
To install
and deploy the application, complete the following steps.
Procedure
- Click Applications > Install New Application.
Complete the required steps until you see the step for mapping security
roles to users and groups.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
If the
application contains roles, assign users and groups to roles. At this step during the installation, under Additional Properties,
click Map security roles to users and groups. For more information,
see Assigning users and groups to roles.
- If RunAs roles exist in the application, assign users to
RunAs roles. At this step during the installation, under
Additional Properties, click Map RunAs roles to users. For
more information, see Assigning users to RunAs roles.
- Optional: Click Correct use of System Identity to
specify RunAs roles, if needed. Complete this action if the application
has delegation set to use system identity, which is applicable to
enterprise beans only. System identity uses the WebSphere Application Server
security server ID to invoke downstream methods. Using system identity
is not recommended as this ID has more privileges than other identities
in accessing WebSphere Application
Server internal methods. This task is provided to make sure that the
deployer is aware that the methods listed in the panel have system
identity set up for delegation and to correct them if necessary. When
the internalServerId feature is used, runAs with system identity is
not supported; you must specify RunAs roles here.
- Complete the remaining non-security related steps to finish
installing and deploying the application.
What to do next
After a secured application is deployed, verify that you
can access the resources in the application with the correct credentials.
For example, if your application has a protected web module, make
sure only the users that you assigned to the roles can use the application.