IBM Security Access Manager Portal Integration How To

How to enable websealtokencredential

The TAI++ does remove the requirement to have the 2 loginmodules put in place by the enable-tam-authorization task to enable extrnalization to TAM, but the websealLoginMoudle has to be there for their customer portlets making use of the WebSealTokenCredentiail.
The only way the WebSealCredential will be put in the vault is if the WebSealLoginModule is put in place. This was likely the way they had it before the introduction of the TAI++ implementation.
In the was admin console Go to security->jaas config->application logins->portal_login, add a new entry com.ibm.wps.sso.WebSealLoginModule. Accept defaults. click ok, save,save.
WebSealLoginModule should show up in security.xml file in WebSphere/AppServer/config/cells/cellname/
What this does is it puts webseal in a dynamically created credential vault for the portlets to retrieve. This is done by running
wpsconfg enable-tam-authorization

Add to or create a file named <wp>/shared/app/config/callbackheaderslist.properties that contain

headers.1=iv-user
headers.2=iv-creds
headers.3=iv-groups

the -c junction option may determine which TAM headers to add to this file
Also, make sure the set the AuthenticationService.properties property authentcation.enable.jaas.execution (or something like that) to TRUE. Restart.

How to configure WCM and Document Manager URLs via TAM SSO

add the followin to dynurl.cfg

/was/wps/content /was/wps/content*        Document Manager
/was/wps/wcm /was/wps/wcm*                WCM
/wass/wps/content /wass/wps/content*            Document Manager
/wass/wps/wcm /wass/wps/wcm*        WCM

How to create an LTPA junction to a Websphere Portal Server

1. Log-on to WAS admin console as wpsbind or wpsadmin
2. Click on the "security", pick LTPA and fill in the file name field, password and click "export key"
3. Manually copy the exported LTAP key onto the WebSEAL system. Make sure you use secure transport mechanism and secure the key on the WebSEAL (using OS ACLs or permissions). The key contains both public and private keys. You don't want anybody to get a hold of it.
4. Login on the TAM Web Admin Tool as sec_master
5. Choose WebSEAL->Create Junction
6. Specify the target host (WPS), port and other parameters as usual. Click enable LTPA cookie and enter the location of the LTPA key on the WebSEAL system. Enter its password. Click "create"
7. Once the junction is created you can treat it as any other junction, assign ACLs, set DynURLs and Dynamic Junctions etc. Test by going to this junction. WAS should trust TAM credentials.

How to enable TAM Vault thru wpsconfig

Run
WPSconfig enable-tam-vault

Here is what it does:

action-esm-tam-update-vaultservice:
     [echo] AccessManager added to VaultService.properties successfully
action-esm-tam-update-AMVaultWiz:
     [echo] properties added to accessmanagervault.properties successfully

How to enable automatic user provisioning from a Websphere Portal to TAM

This allows users to be added to TAM automatically when they are created in WPS. Anyone with access to the public portal URL can become a user in Tivoli Access Manager by using portal's self-registration feature. Go to \WebSphere\PortalServer\config on WPS server and run

WPSconfig.bat validate-pdadmin-connection -DPdAdminPw=password
WPSconfig.bat enable-tam-userprov -DPdAdminPw=password

How to synchronize TAM and WPS timeouts

1. Modify the WebSphere Portal session timeout.
2. Configure WebSphere Portal to resume timed out sessions.
3. Modify the WebSEAL session timeout.

More details can be found in a "secure portal" redbook.

@HowTo @TAM