Skip to main content

If you don't have an IBM ID and password, register here.

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. This profile includes the first name, last name, and display name you identified when you registered with developerWorks. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

Installing Tivoli Access Manager on Linux

Getting started

Olivier Antibi (oantibi@fr.ibm.com), E-business Architect, IBM
Olivier Antibi was an honors graduate from ENSEEIHT in France before joining the e-business architect team. He began his career as a developer and later as an analyst. Presently focused on IBM Tivoli products, he provides enablement education and consulting to IBM Business Partners. You can reach Olivier at oantibi@fr.ibm.com.
Jean-Paul Chobert (chobert@fr.ibm.com), E-business Architect, IBM
Jean-Paul Chobert is an e-business architect with IBM Developer Relations. He has 21 years of software development experience. Jean-Paul previously worked for Thomson CSF and Alcatel. He works in IBM for the strategic alliance partner program, doing consulting, mentoring, coding, and teaching. He is IBM IT Specialist certified and product certified in IBM Tivoli Access Manager, WebSphere MQ, WebSphere Application Server, WebSphere Commerce, WebSphere Studio, and e-Business Designer. He graduated from Ecole Nationale Superieure des Telecommunications, Paris, France.
James Webster (websteja@us.ibm.com), Technical Consultant, IBM
James Webster is a technical consultant for security products in the Ready for Tivoli Integration program. He is a certified Tivoli Access Manager consultant. James has a degree in computer science from Texas A&M University. Contact him at websteja@us.ibm.com.

Summary:  Linux is quickly becoming a dominant platform for e-business and enterprise applications. The recent release of IBM Tivoli Access Manager 4.1 Fixpack 2 recognized this fact by adding support for Linux on the Intel platform. In this tutorial, you'll learn how to install and configure IBM Tivoli Access Manager 4.1 on Linux. You'll also walk through some simple steps that will test your installation, including the creation of a WebSEAL junction.

Date:  08 Aug 2003
Level:  Introductory PDF:  A4 and Letter (969 KB | 30 pages)Get Adobe® Reader®

Comments:  

Creating and testing a junction

Introduction

Now that all of the TAM components are configured and started, you can create a junction to a Web server. With this junction, access to the homepage of the IBM HTTP Server is given to anybody, but access to its documentation is restricted to registered users only.

First, you'll read about the installation and configuration process of the new components involved. Then, you'll learn how to create a junction and Access Control Lists (ACL), and how to attach them to existing directories.


Installation and configuration

Installing and configuring the IBM HTTP Server

  1. Open the configuration file http.conf using a text editor:
    [root@tam4linux root]# cd /opt/IBMHttpServer/conf/
    [root@tam4linux conf]# vi httpd.conf
    [root@tam4linux conf]#
    

  2. Find the document root and make note of it -- you'll be needing it later (see Configuring query_contents).
    #
    # DocumentRoot: The directory out of which you will serve your
    # documents. By default, all requests are taken from this directory, but
    # symbolic links and aliases may be used to point to other locations.
    #
    DocumentRoot "/opt/IBMHttpServer/htdocs/en_US"
    

  3. Because the WebSEAL default configuration uses port 80, you have to change the port number for the HTTP server:
    # Port: The port to which the standalone server listens. For
    # ports < 1023, you will need httpd to be run as root initially.
    #
    Port 81
    

  4. Start the server:
    [root@tam4linux IBMHttpServer]# cd bin
    [root@tam4linux bin]# pwd
    /opt/IBMHttpServer/bin
    [root@tam4linux bin]# apachectl start
    ./apachectl start: httpd started
    [root@tam4linux bin]#
    

Current architecture

To browse the current architecture, use a recursive call to object list in the pdadmin console. You'll obtain the full name of the objects that will be used in the ACL attach process.

[root@tam4linux root]# pdadmin
pdadmin> login
Enter User ID: sec_master
Enter Password:
pdadmin> object list
/Management
/WebSEAL
pdadmin> object list /WebSEAL
    /WebSEAL/tam4linux.ibm.com
pdadmin> object list /WebSEAL/tam4linux.ibm.com
    /WebSEAL/tam4linux.ibm.com/cgi-bin
    /WebSEAL/tam4linux.ibm.com/icons
    /WebSEAL/tam4linux.ibm.com/pics
    /WebSEAL/tam4linux.ibm.com/index.html
pdadmin> object list /WebSEAL/tam4linux.ibm.com
    /WebSEAL/tam4linux.ibm.com/cgi-bin
    /WebSEAL/tam4linux.ibm.com/icons
    /WebSEAL/tam4linux.ibm.com/pics
    /WebSEAL/tam4linux.ibm.com/index.html
pdadmin>

Notice the sample host name, tam4linux.ibm.com. Throughout the remainder of this tutorial, substitute this with your own host name.


Creating a Junction

To create a junction, enter the following command on one line:

pdadmin> server task webseald-tam4linux.ibm.com create -t tcp
  -h tam4linux -p 81 /ibmhttp
  

Let's look more closely at the components of this command:

  • -t tcp: Defines a TCP/IP junction type
  • -h tam4linux: Defines the host name
  • -p 81: Defines the port number
  • /ibmhttp: Defines the mount point

Configuring query_contents

To browse the junction with the pdadmin tool, use a CGI script, query_contents, to explore the document root. To configure query_contents:

  1. Copy the script from the pdweb directory and make it executable by all users:
    [root@tam4linux query_contents]# pwd
    /opt/pdweb/www/lib/query_contents
    [root@tam4linux query_contents]# ls
    C  query_contents.c  query_contents.cfg  query_contents.exe  query_contents.sh
    [root@tam4linux query_contents]# cp query_contents.sh 
                /opt/IBMHttpServer/cgi-bin/query_contents
    [root@tam4linux query_contents]# cd /opt/IBMHttpServer/cgi-bin/
    [root@tam4linux cgi-bin]# ls
    query_contents
    [root@tam4linux cgi-bin]# chmod 555 query_contents
    

  2. Edit the CGI file and modify the document root to fit the one you have in your Web server.
    #
    # NOTE: change this panel so that the document root is set correctly
    # for your installation.
    #
    ADD_TO_ROOT=
    case "$SERVER_SOFTWARE" in
    WebSEAL*|WAND*)
        DOCROOTDIR=`pwd`
        ;;
    # Apache*) changed to match our server_software
    *Apache*)
    
    #    DOCROOTDIR=`pwd`/../htdocs changed to match our document root
         DOCROOTDIR=`pwd`/../htdocs/en_US
    
        ADD_TO_ROOT="cgi-bin//"
        ;;
    CERN*)
        DOCROOTDIR=/home/www/Web
        ADD_TO_ROOT="cgi-bin//"
        ;;
    *)
        DOCROOTDIR=/usr/local/html
    esac
    

    Here's a hint for a quick debug of this script. Add the following line:

    echo SERVER_SOFTWARE : $SERVER_SOFTWARE
    

    Then point your browser to the following URL (substitute tam4linux.ibm.com with your host name):

    http://tam4linux.ibm.com/cgi-bin/query_contents
    

    This should return HTTP_SERVER/1.3.26 Apache/1.3.26 (Unix).

    By default, the configuration fails and the document root directory is not well set. To keep the original configuration script, you need to modify the regular expression Apache*, which matches anything beginning with Apache, with *Apache*, which matches anything containing Apache, including IBM_HTTP_SERVER/1.3.26 Apache/1.3.26 (Unix). This change is reflected in the listing above.

  3. Check the configuration. Point your browser to the following URL:
    http://tam4linux.ibm.com/cgi-bin/query_contents?dirlist=/
    

    Again, substitute tam4linux.ibm.com with your own host name. You should be see a list of the files of the document root directory. If you see a return value other than 100, check out the WebSEAL Admin guide for assistance.

    Your browser window should look like this:

  4. Don't forget to remove any debug instructions.
  5. Finally, compare the list presented in the browser by the CGI script against the list available through the pdadmin console:
    pdadmin> object list /WebSEAL/tam4linux.ibm.com/ibmhttp
        /WebSEAL/tam4linux.ibm.com/ibmhttp/HP-UX.gif
        /WebSEAL/tam4linux.ibm.com/ibmhttp/HTTP_top_a.gif
        /WebSEAL/tam4linux.ibm.com/ibmhttp/HTTP_top_b.gif
        /WebSEAL/tam4linux.ibm.com/ibmhttp/IBMlogosmall.gif
        /WebSEAL/tam4linux.ibm.com/ibmhttp/OS2.gif
        /WebSEAL/tam4linux.ibm.com/ibmhttp/Powered_by_a.gif
        /WebSEAL/tam4linux.ibm.com/ibmhttp/SystemAdmin.gif
        /WebSEAL/tam4linux.ibm.com/ibmhttp/aixlogo.gif
        /WebSEAL/tam4linux.ibm.com/ibmhttp/apadminred.html
    ....
    ....
    

As you can see, pdadmin is able to browse the junction.


Creating the access control list

Use the following commands to create the public ACL that gives free access to all the files of the junction.

pdadmin> acl create Public
pdadmin> acl modify Public set any-other Trx
pdadmin> acl modify Public set unauthenticated Trx
pdadmin> acl attach /WebSEAL/tam4linux.ibm.com/ibmhttp Public
pdadmin> acl show Public
    ACL Name: Public
    Description:
    Entries:
        User sec_master TcmdbsvaBl
        Unauthenticated Trx
        Any-other Trx

Notice that you are giving unauthenticated people and any others the right to T(raverse), r(ead), and e(xecute) on any objects.

Next, use the following commands to create the restricted ACL to restricts the access to the files below the manual directory to only authenticated users.

pdadmin> acl create Restricted
pdadmin> acl modify Restricted set any-other Trx
pdadmin> acl modify Restricted set unauthenticated T
pdadmin> acl attach /WebSEAL/tam4linux.ibm.com/ibmhttp/manual Restricted
pdadmin> acl show Restricted
    ACL Name: Restricted
    Description:
    Entries:
        User sec_master TcmdbsvaBl
        Any-other Trx
        Unauthenticated T


Notice that you are allowing the unauthenticated to only traverse this directory (to reach another allowed area, for example), but not to read or execute any objects.
Note: A WebSEAL ACL should ALWAYS contain the core entries for groups iv-admin and webseal-servers, and user sec_master. While what we have will work for demo purposes, in a real world environment attaching WebSEAL ACLS's without the core entries can be a mess. The core entries should always be present in a WebSEAL ACL.

To synchronize the policy server and WebSEAL:

pdadmin> server replicate
pdadmin>


A simple test

To verify the good behavior of the junction with the ACL policy, let's first access the junction. As usual, you'll need to change tam4linux.ibm.com in the URL on this panel with your own host name. Note that no authentication is required to access the junction.

Accessing the junction

Click View Documentation to access the manuals. When you do, you'll get a popup login window, as illustrated below. The login panel appears because basic authentication has been selected in the WebSEAL configuration file. (Cf. configuring webSEAL).

Popup login

Clicking the documentation link will access http://tam4linux.ibm.com/ibmhttp/manual/ibm/manual.html. Since we attached our ACL to the URL ../ibmhttp/manual, WebSEAL intercepts it as needing authentication.

After you've connected and authenticated, until a new session is initiated you can access the manual and use the single sign-on functionality to browse the entire site without authenticating again.

Browsing without authenticating

5 of 8 | Previous | Next

Comments



Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Tivoli, Linux
ArticleID=136274
TutorialTitle=Installing Tivoli Access Manager on Linux
publish-date=08082003
author1-email=oantibi@fr.ibm.com
author1-email-cc=
author2-email=chobert@fr.ibm.com
author2-email-cc=
author3-email=websteja@us.ibm.com
author3-email-cc=

Tags

Help
Use the search field to find all types of content in My developerWorks with that tag.

Use the slider bar to see more or fewer tags.

Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).

My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

Use the search field to find all types of content in My developerWorks with that tag. Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere). My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).