Configuring the Tivoli Access Manager plug-in

A Caching Proxy plug-in is provided with Tivoli Access Manager (formerly Tivoli Policy Director) that enables Caching Proxy to use Access Manager for authentication and authorization. This plug-in makes it possible for an enterprise that uses Access Manager for Web access control to add Edge technology without having to duplicate work by setting up separate authorization schemes for the proxy server.

Configuration

A setup script for Caching Proxy is provided with the Access Manager plug-in.

Steps to take before using the configuration script

Before running the script, do the following:
  • Install all necessary software.
  • Configure the proxy server as a surrogate, or reverse proxy.
  • Ensure that the proxy server is set to use port 80 (This is the default value.)
  • Configure your LDAP and Access Manager components, and make sure that they are running while you configure the Access Manager plug-in.
  • Make sure that you have the Access Manager administrator ID and the LDAP administrator name available. These values are required to set up the proxy server.

Using the configuration script

The setup script is named wslconfig.sh and it is provided in the /opt/pdweb-lite/bin/ directory. Enter the Access Manager administrator ID and the LDAP administrator name when prompted.

The configuration script automatically performs the following steps:
  • Sets the Caching Proxy user ID to root and group ID to other
  • Sets the noLog directive to *, which causes no items to be written to Caching Proxy's Access Log
  • Creates a ServerInit directive with the following information:
    ServerInit /opt/pdweb-lite/lib/wesauth.so:WTESeal_Init 
      /opt/pdweb-lite/etc/ibmwesas.conf
  • Creates a PreExit directive with the following information:
    PreExit /opt/pdweb-lite/lib/wesauth.so:WTESeal_PreExit
  • Creates an Authorization directive with the following information:
    Authorization * /opt/pdweb-lite/lib/wesauth.so:WTESeal_Authorize
  • Creates a ServerTerm directive with the following information:
    ServerTerm /opt/pdweb-lite/lib/wesauth.so:WTESeal_Term
    Creates a Protect statement and Protection setup that forwards all requests to the Access Manager authentication process, as follows:
    Protection PROXY-PROT {
            ServerId WebSEAL-Lite
            Mask All@(*)
            AuthType Basic
            }
    Protect * PROXY-PROT
        

Starting Caching Proxy and Access Manager plug-in

After configuring the proxy server and the Access Manager plug-in, use the command wslstartwte instead of ibmproxy start to start the proxy server. The wslstartwte command automatically loads environment variables that the Access Manager plug-in requires in order to initialize. If you do not use wslstartwte when starting the proxy server, error messages are displayed about the Access Manager plug-in. The corresponding stop command, ibmproxy stop, is still valid when the plug-in is used.


Icon that indicates the type of topic Reference topic



Timestamp icon Last updated: March 23, 2018 0:18
File name: policydir.html