IBM Security Access Manager Portal Integration How To
How to enable websealtokencredential
The TAI++ does remove the requirement to have the 2 loginmodules put in place by the enable-tam-authorization task to enable extrnalization to TAM, but the websealLoginMoudle has to be there for their customer portlets making use of the WebSealTokenCredentiail.
The only way the WebSealCredential will be put in the vault is if the WebSealLoginModule is put in place. This was likely the way they had it before the introduction of the TAI++ implementation.
In the was admin console Go to security->jaas config->application logins->portal_login, add a new entry com.ibm.wps.sso.WebSealLoginModule. Accept defaults. click ok, save,save.
WebSealLoginModule should show up in security.xml file in WebSphere/AppServer/config/cells/cellname/
What this does is it puts webseal in a dynamically created credential vault for the portlets to retrieve. This is done by running
Add to or create a file named <wp>/shared/app/config/callbackheaderslist.properties that contain
headers.1=iv-user headers.2=iv-creds headers.3=iv-groups
the -c junction option may determine which TAM headers to add to this file
Also, make sure the set the AuthenticationService.properties property authentcation.enable.jaas.execution (or something like that) to TRUE. Restart.
How to configure WCM and Document Manager URLs via TAM SSO
add the followin to dynurl.cfg
/was/wps/content /was/wps/content* Document Manager /was/wps/wcm /was/wps/wcm* WCM /wass/wps/content /wass/wps/content* Document Manager /wass/wps/wcm /wass/wps/wcm* WCM
How to create an LTPA junction to a Websphere Portal Server
- Log-on to WAS admin console as wpsbind or wpsadmin
- Click on the "security", pick LTPA and fill in the file name field, password and click "export key"
- Manually copy the exported LTAP key onto the WebSEAL system. Make sure you use secure transport mechanism and secure the key on the WebSEAL (using OS ACLs or permissions). The key contains both public and private keys. You don't want anybody to get a hold of it.
- Login on the TAM Web Admin Tool as sec_master
- Choose WebSEAL->Create Junction
- Specify the target host (WPS), port and other parameters as usual. Click enable LTPA cookie and enter the location of the LTPA key on the WebSEAL system. Enter its password. Click "create"
- Once the junction is created you can treat it as any other junction, assign ACLs, set DynURLs and Dynamic Junctions etc. Test by going to this junction. WAS should trust TAM credentials.
How to enable TAM Vault thru wpsconfig
Here is what it does:
action-esm-tam-update-vaultservice: [echo] AccessManager added to VaultService.properties successfully action-esm-tam-update-AMVaultWiz: [echo] properties added to accessmanagervault.properties successfully
How to enable automatic user provisioning from a Websphere Portal to TAM
This allows users to be added to TAM automatically when they are created in WPS. Anyone with access to the public portal URL can become a user in Tivoli Access Manager by using portal's self-registration feature. Go to \WebSphere\PortalServer\config on WPS server and run
WPSconfig.bat validate-pdadmin-connection -DPdAdminPw=password WPSconfig.bat enable-tam-userprov -DPdAdminPw=password
How to synchronize TAM and WPS timeouts
- Modify the WebSphere Portal session timeout.
- Configure WebSphere Portal to resume timed out sessions.
- Modify the WebSEAL session timeout.
More details can be found in a "secure portal" redbook.
Backlinks: idmdepot.com:How To:IBM Security Access Manager How To