Use this task to configure Tivoli® Access
Manager as the Java™ Authorization Contract for
Containers (JACC) provider using the administrative console.
Before you begin
Before configuring Tivoli Access
Manager as the JACC provider, verify that all of the managed servers,
including node agents, are started
Before completing the following
steps, verify that you have previously created a security administrative
user. For more information, see Creating the security administrative user for Tivoli Access Manager.
About this task
The following configuration is performed on the management
server. When you click either Apply or OK,
configuration information is checked for consistency, saved, and applied
if successful.
This configuration
information is propagated to the nodes when synchronization is performed.
Restart the nodes for the configuration changes to take effect.
To
configure Tivoli Access Manager as the JACC provider using
the administrative console, complete the following steps:
Procedure
- Start the WebSphere Application Server
administrative console by clicking http://yourhost.domain:port_number/ibm/console after starting WebSphere Application Server.
If
security is disabled, log in with any user ID. If security is enabled,
log in with a predefined administrative ID and password. This ID is
typically the server user ID that is specified when you configure
the user registry.
- Click Security > Global security > External
authorization providers.
- Under General properties, select External authorization using a JACC provider.
- Under Related items, click External JACC provider.
- Under Additional properties, click Tivoli Access
Manager Properties.
The Tivoli Access
Manager JACC provider configuration screen is displayed.
- Enter the following information:
- Enable embedded Tivoli Access Manager
- Select this option to enable Tivoli Access
Manager.
- Ignore errors during embedded Tivoli Access
Manager disablement
- Select this option when you want to unconfigure the JACC provider.
Do not select this option during configuration.
- Client listening port set
- WebSphere
Application Server must listen using a TCP/IP port for authorization database updates from the
policy server. More than one process can run on a particular node or machine. More than one
authorization server can be specified by separating the entries with commas. Specifying more than
one authorization server at a time is useful for reasons of failover and performance. Enter the
listening ports that are used by Tivoli Access Manager clients, which are separated by a comma. If a range of
ports is specified, separate the smaller and larger values by a colon (:) (for example,
7999, 9990:999).
- Policy server
- Enter the name of the Tivoli Access Manager policy
server and the connection port. Use the policy_server:port form.
The policy communication port is set at the time of the Tivoli Access
Manager configuration, and the default is 7135.
- Authorization servers
- Enter the name of the Tivoli Access Manager authorization
server. Use the auth_server:port:priority form. The authorization
server communication port is set at the time of the Tivoli Access
Manager configuration, and the default is 7136. The priority value
is determined by the order of the authorization server use (for example, auth_server1:7136:1 and auth_server2:7137:2).
A priority value of 1 is required when configuring against
a single authorization server.
- Administrator user name
- Enter the Tivoli Access Manager administrator user name
that was created when Tivoli Access Manager was configured;
it is usually sec_master.
- Administrator user password
- Enter the Tivoli Access Manager administrator password.
- User registry distinguished name suffix
- Enter the distinguished name suffix for the user registry that
is shared between Tivoli Access Manager and WebSphere Application Server, for example, o=ibm, c=us.
- Security domain
- You can create more than one security domain in Tivoli Access
Manager, each with its own administrative user. Users, groups and
other objects are created within a specific domain, and are not permitted
to access resource in another domain. Enter the name of the Tivoli Access
Manager security domain that is used to store WebSphere Application
Server users and groups.
If a security domain is not established
at the time of the Tivoli Access Manager configuration,
leave the value as Default.
- Administrator user distinguished name
- Enter the full distinguished name of the WebSphere Application
Server security administrator ID (for example, cn=wasdmin, o=organization, c=country).
The ID name must match the Server user ID on the Lightweight Directory
Access Protocol (LDAP) User Registry panel in the administrative console.
To access the LDAP User Registry panel, click Security
> Global security. Under User account repository,
choose Standalone LDAP registry as the available
realm definition. Then, click Configure.
- When all information is entered, click OK to
save the configuration properties. The configuration parameters are
checked for validity and the configuration is attempted at the host
server or cell manager.
Results
After you click OK, WebSphere Application
Server completes the following actions:
- Validates the configuration parameters.
- Configures the host server or cell manager.
These processes might take some time depending on network traffic
or the speed of your machine.
What to do next
If the configuration is successful, the parameters are copied
to all subordinate servers, including the node agents. To complete
the embedded Tivoli Access Manager client configuration,
you must restart all of the servers, including the host server, and
enable WebSphere Application Server security.