After you install risk-based access, use the deploy operation
of the manageRbaConfiguration command to set up
the risk-based access database and deploy the various components.
Before you begin
- Install risk-based
access.
- For the installation to take effect, restart the application server
or the deployment node in which you installed risk-based access.
- Decide if you want to do an automatic or manual setup of your
database. See Database considerations.
About this task
The wsadmin commands for risk-based
access are called by a Deployment Manager node in a managed environment
with clusters.
If the deploy operation detects
that the runtime security service is configured with IBM® Tivoli® Security Policy Manager,
the existing instance of the runtime security service is not overwritten.
In such a scenario, you can use IBM Tivoli Security Policy Manager as
the policy administration point (PAP) for managing risk-based access
policies. You cannot use the manageRbaPolicy command
to manage polices. Some manageRbaPolicy operations
are disabled in this scenario. The runtime security services of IBM Tivoli Federated Identity Manager and
the runtime security services of IBM Tivoli Security Policy Manager must
share the WebSphere Application
Server profile
for risk-based access.
Procedure
- Open a command window and access the directory where your WebSphere Application
Server profile
is located. For example:
- AIX® or Linux systems
- /opt/IBM/WebSphere/AppServer70/profiles/AppSrv01/bin
- Windows systems:
- C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\bin
- Start the wsadmin tool with one of the
following commands:
- AIX® or Linux systems
./wsadmin.sh -username username -password password
- Windows systems:
wsadmin.bat -username username -password password
- To deploy the risk-based access runtime environment and
plug-ins run the following wsadmin command:
$AdminTask manageRbaConfiguration {-operation deploy}
A message states that risk-based access is deployed successfully.
- Enable security for the runtime security services.
- In WebSphere Application
Server,
create a group.
- On the WebSphere Application
Server administrative
console, select .
- Under Detail properties, click Security role
to user/group mapping. A list of roles is displayed.
- Select the tscc-admin role and
click Map Groups.
- Select the group that you created and click OK.
- Click OK and save the configuration.
- Use the manageRbaConfiguration command
to configure the rtss.admin.basic.authn.username and rtss.admin.basic.authn.pwd properties
to match the user name and password in the group that you assigned
to the tscc-admin role.
$AdminTask manageRbaConfiguration {-operation create
-propertyName rtss.admin.basic.authn.username -propertyValue user_name}
$AdminTask manageRbaConfiguration {-operation create
-propertyName rtss.admin.basic.authn.pwd -propertyValue password}
- Secure the RTSS service URL if these conditions apply to
your IBM Tivoli Federated Identity Manager deployment:
- RTSS is deployed on the server.
- The product is junctioned behind WebSEAL.
If these conditions apply, attach an access control list to /FIM/rtss/admin by
using IBM Tivoli Access Manager for e-business,
version 6.1.1 or later.
Attaching an access control list ensures
that the page is not available to everyone.
See the IBM Tivoli Access Manager for e-business documentation.
Results
Risk-based access is deployed.
If no database is
installed and configured with the JNDI context name, jdbc/rba,
an embedded solidDB database is installed, and the schema is created.