IBM Support

Configuring WebSEAL for WebSphere Business Monitor

Troubleshooting


Problem

When the Business Process Management cluster that hosts Business Space is behind a reverse proxy server, such as WebSEAL/Tivoli Access Manager, problems can occur when you try to access Business Space and its associated widgets.

Symptom

Symptoms can include the following:

  • Cannot access Business Space.
  • Cannot display widgets.
  • Cannot display the correct context information within widgets.

Cause

The WebSEAL/TAM configuration interferes with the Business Space application and its widgets.

Resolving The Problem

Use either the WebSphere Application Server administrative console or the wsadmin utility to configure WebSEAL/TAM.

Using the WebSphere Application Server administrative console to configure JACC-TAM



Note: If you need access to the TAM server, contact the Security SME for server details.

1. Enable Global Security.

  1. Access the administrative console at http://<hostname>:9060/admin.
  2. Go to Security > Global Security.
  3. Enable administrative, application, and java2 security with the LDAP server with which TAM is configured.
  4. Go to Global Security > LDAP, and enter the following information. Then click OK.
    5. Server user Id Enter the same user id that you entered for WAS Admin DN on TAM settings. For example: user1
    Server user password puser1
    Host<LDAP configured with TAM>
    Port <Example: 389>
    Base DN <Example: o=ibm, c=us>
    Bind DN <Example: cn=SecurityMaster,secAuthority=Default>
    Bind pwd <password for SecurityMaster user>
  5. Save the configuration, and restart WebSphere Application Server.

2. Enable External Authorization with TAM/JACC.

  1. Access the administrative console at http://<hostname>:9060/admin.
  2. Go to Security > Global Security.
  3. Select External authorization providers.
  4. In the Authorization provider list, select External JACC provider, and then click Configure.

The default properties for TAM are correct. For default values, you do not need to make changes.

e. Under Additional Properties, select Tivoli Access Manager properties, and then select Enable embedded Tivoli Access Manager. Enter the following information, and then click OK.
Client listening port set: 8900 - 8999This is the default setting. Change it only if you want to use different ports.
Policy serverSpecify your policyserver:port, For example: windomain3.rtp.raleigh.ibm.com:7135
Authorization serversSpecify your authorizationserver:port:ptiority. For example: windomain3.rtp.raleigh.ibm.com:7136:1
Administrator user nameLeave the user name as sec_master (default), unless you use a different admin name on the TAM server.
password for sec_masterdomino123
registry distinguished nameType the name that you want to use for WAS. For example: o=ibm,c=us
Security domain Leave the Security domain set to Default. Change this setting if you are not using the Default domain on the TAM server or if you have multiple domains created on the TAM server and you want to connect or use a domain other than Default.
Administrator user distinguished nameType the fully qualified name of the user. For example: cn=user1,o=ibm,c=us
Note: This user is the same as the ‘Server user ID’ configured in the LDAP user registry panel.
    The WebSphere Application Server contacts the TAM server and creates several properties files under Application Server. This process might take a few minutes. If an error occurs, look in system Out and correct the problem.

f. Save the configuration.
    In system Out, you see a successful configuration of TAM message.

g. Go to Security > Global Security, select External authorization providers, and select External JACC provider. Then click OK,

3. If you installed applications before you enabled TAM (for example, you enabled -LDAP security and installed some secured applications and mapped users and groups to security roles), push the mapping information from the deployment descriptors to the TAM policy server. To push the mapping information, issue the following wsadmin commands:


wsadmin -user serverID -password serverPWD
wsadmin> set secadm [$AdminControl queryNames type=SecurityAdmin,process=dmgr,*]
wsadmin> set secadm [$AdminControl queryNames type=SecurityAdmin,process=server1,*]
wsadmin>set appNames [list app1:app2]
wsadmin>set appNames [list null]
wsadmin>$AdminControl invoke $secadm propagatePolicyToJACCProvider $appNames

Using the wsadmin utility to configure JACC-TAM

Verify that all the managed servers, including node agents, are started. Perform the following configuration once on the deployment manager server. The configuration parameters are forwarded to managed servers, including node agents, when a synchronization is performed. The managed servers require their own restart for the configuration changes to take effect.

1. Start the WebSphere Application Server.

2. Start the command-line utility by running the wsadmin command from the app_server_root/bin directory.

3. At the wsadmin prompt, type the following command:


    $AdminTask configureTAM -interactive

    Enter the following information:

    WebSphere Application Server node nameSpecify a single node or enter an asterisk (*) to choose all nodes.
    Tivoli Access Manager Policy ServerEnter the name of the Tivoli Access Manager policy server and the connection port. Use the format, policy_server : port. The policy server communication port is set at the time of Tivoli Access Manager configuration. The default port is 7135.
    Tivoli Access Manager Authorization ServerEnter the name of the Tivoli Access Manager authorization server. Use the format auth_server : port : priority. The authorization server communication port is set at the time of Tivoli Access Manager configuration. The default port is 7136. More than one authorization server can be specified by separating the entries with commas. Having more than one authorization server configured is useful for failover and performance. The priority value is the order of authorization server use. For example: auth_server1:7136:1,auth_server2:7137:2. A priority of 1 is still required when configuring against a single authorization server.
    WebSphere Application Server administrator's distinguished nameEnter the full distinguished name of the WebSphere Application Server security administrator ID. See the related URL. For example: cn=wasadmin,o=organization,c=country
    Tivoli Access Manager user registry distinguished name suffixFor example: o=organization, c=country
    Tivoli Access Manager administrator's user nameEnter the Tivoli Access Manager administration user ID, as created at the time of Tivoli Access Manager configuration. This ID is usually sec_master.
    Tivoli Access Manager administrator's user passwordEnter the password for the Tivoli Access Manager administrator.
    Tivoli Access Manager security domainEnter the name of the Tivoli Access Manager security domain that is used to store users and groups. If a security domain is not already established at the time of Tivoli Access Manager configuration, click Return to accept the default.
    Embedded Tivoli Access Manager listening port setWebSphere Application Server needs to listen on a TCP/IP port for authorization database updates from the policy server. More than one process can run on a particular node and machine so a list of ports is required for the processes. Enter the ports that are used as listening ports by Tivoli Access Manager clients, separated by a comma. If you specify a range of ports, separate the lower and higher values by a colon. For example, 7999, 9990:9999.
    DeferSet to yes, this option defers the configuration of the management server until the next restart. Set to no, configuration of the management server occurs immediately. Managed servers are configured on their next restart.
4. After you enter all the information, select F to save the configuration properties or C to cancel from the configuration process and discard entered information.

5. In the administrative console, select Security > Secure administration, applications, and infrastructure > External authorization providers. Select External authorization using a JACC provider option, and then click OK.

6. Go to the main security screen and click OK. Save and sync changes.

7. Restart all Application Server processes in your cell.

8. If you installed applications before you enabled TAM (for example, you enabled LTPA--LDAP security and installed some secured applications and mapped users and groups to security roles), push the mapping information from the deployment descriptors to the TAM policy server. To push the mapping information, issue the following wsadmin commands:


wsadmin -user serverID -password serverPWD
wsadmin> set secadm [$AdminControl queryNames type=SecurityAdmin,process=dmgr,*]
wsadmin> set secadm [$AdminControl queryNames type=SecurityAdmin,process=server1,*]
wsadmin>set appNames [list app1:app2]
wsadmin>set appNames [list null]
wsadmin>$AdminControl invoke $secadm propagatePolicyToJACCProvider $appNames


Example with SVTM TAM60 server

wsadmin>


wsadmin>$AdminTask configureTAM -interactive
Configure embedded Tivoli Access Manager

This command configures embedded Tivoli Access Manager on the WebSphere Application Server node or nodes specified.

WebSphere Application Server Node Name (nodeName): *
*Tivoli Access Manager Policy Server (policySvr): windomain3.rtp.raleigh.ibm.com:7135
*Tivoli Access Manager Authorization Servers (authSvrs): windomain3.rtp.raleigh.ibm.com:7136:1
*WebSphere Application Server administrator's distinguished name (wasAdminDN): cn=was61admin,o=ibm,c=us
*Tivoli Access Manager user registry distinguished name suffix (dnSuffix): o=ibm,c=us
Tivoli Access Manager administrator's user name (adminUid): [sec_master]
*Tivoli Access Manager administrator's user password (adminPasswd): domino123
Tivoli Access Manager security domain (secDomain): [Default]
Embedded Tivoli Access Manager listening port set (portSet): [9900:9999]
Defer (defer): [no]

Configure embedded Tivoli Access Manager

F (Finish)
C (Cancel)

Select [F, C]: [F] F
WASX7278I: Generated command line: $AdminTask configureTAM {-policySvr windomain3.rtp.raleigh.ibm.com:7135 -authSvrs windomain3.rtp.raleigh.ibm.com:7136:1 -wasAdminDN cn=wa
Embedded Tivoli Access Manager configuration action parameters saved successfully. Restart all WebSphere Application Server instances running on the target node or nodes to
wsadmin>


Configuring WebSEAL with TAM

Follow these steps to set up WebSEAL.

1. Ensure that WebSEAL is installed and configured properly.


2. Create the junction between WebSEAL and WebSphere Application Server using the -c iv_creds option for TAI++ and -c iv_user for TAI. Enter either of the following commands as one line using the variables that are appropriate for your environment:

(For TAI++)
server task webseald-server create -t tcp -b supply -c iv_creds
-h host_name -p websphere_app_port_number junction_name

3. Create a trusted user account in TAM which can be used for configuring TAI.


pdadmin -a sec_master -p domino123
pdadmin sec_master> user create -gsouser -no-password-policy taiuser "cn=taiuser
,ou=websphere,o=ibm,c=us" taiuser taiuser ptaiuser
pdadmin sec_master> user modify taiuser password-valid yes
pdadmin sec_master> user modify taiuser account-valid yes

4. Update the webseald-default.conf file:
Edit the WebSEAL configuration file webseal_install_directory/etc/webseald-default.conf. Set the following parameter:
basicauth-dummy-passwd=webseal_userid_passwd

For example, if you set the taiuser/ptaiuser in TAM

basicauth-dummy-passwd = ptaiuser

If using Form based authentication set,
forms-auth=both
ba-auth=none


Configuring WebSeal with Application Server

Follow these steps to enable TAI ++ interceptor on Application Server .

1. In the WebSphere Administrative Console, select Global security.

2. Under Authentication mechanisms and expiration, expand Web and SIP security, and then select Trust Association.

3. Select the check box and click Apply.

4. Select Interceptors > TAMTrustAssociationInterceptorPlus > custom properties, and add these three properties:

Name: com.ibm.websphere.security.webseal.configURL


Value: ${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties

Name: com.ibm.websphere.security.webseal.id
Value: iv-creds

Name: com.ibm.websphere.security.webseal.loginId
Value: taiuser (if the user taiuser/ptaiuser was created in the TAM)

5. Restart the Application Server cell.

6. To access the client, go to

https://<web seal server name>:<webseal port>/<junction name>/<web uri for client>




Transparent junctions

To see the Business Space widgets, create a series of transparent path junctions for each product's widgets. Issue the following command to create a transparent junction:

pdadmin> server task <webseal server> create -t <transport type (ssl) or (tcp)> -x -h hostname <path>

For example:


pdadmin> server task webseald-default create -t tcp -x -h monServer.ibm.com /BusinessSpace

Create the following context roots:
URLs for general Business Space framework (all products):
  • /BusinessSpace/*
  • /BSpaceWidgetsCommon/*

Additional URLs for WebSphere Business Services Fabric widgets:
  • /fabricrest/*

Additional URLs for WebSphere Business Monitor widgets:
  • /BusinessDashboard
  • /DashboardABX
  • /monitorServerComponent
  • /mobile
  • /rest/bpm/monitorimages
  • /rest/bpm/monitor
  • /rest/bpm/events
  • /AlphabloxServer
  • /AlphabloxAdmin
  • /AlphabloxTooling
  • /BloxBuilder

Additional URLs for WebSphere Enterprise Service Bus widgets:
  • /BSpaceWidgetsHM
  • /rest

Additional URLs for WebSphere Process Server widgets:
  • /BSpaceWidgetsHM
  • /SecurityManagerWidgets
  • /BSpaceWidgetsBCM
  • /rest

Additional configuration steps

1. To resolve the renaming of the Business Space cookie, add the following to WebSEAL conf file:


[preserve-cookie-names]
name = com.ibm.bspace.UserName
name = com.ibm.wbimonitor.UserName

2. (Optional: complete this step only if you encounter issues with the Business Space pages.)
If you are using non-default virtual hosts with a context root, you might need to stop the junction from rewriting the Java™Script on the Business Space pages. To avoid this issue, add the -j junction to the context root, as follows:

server task default-webseald create -f -h <hostname> -p <portnumber> -t tcp -b supply -c iv-user,iv-creds,iv-groups -x -s -j -J trailer /<root context>

[{"Product":{"code":"SSSRR3","label":"WebSphere Business Monitor"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Monitor Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0;6.2.0.2;6.2.0.1;6.2;6.1.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
23 June 2018

UID

swg21409027

Page Feedback