Integrating WebSphere Telecom Web Services Server with Tivoli Directory Server for security role mapping

IBM Websphere Telecom Web Services Server (TWSS) uses security role mapping for tasks such as access to and administration of security services.   For better administration, these security roles can be mapped to security identities of users/groups, which can be stored in LDAP for authentication and authorization. This article describes security role mapping with users/groups, how to integrate TWSS with IBM Tivoli Directory Server, and a tool to generate the TWSS users/groups LDIF file.


Pralhad D Galagali (, Senior Staff Software Engineer, IBM Global Business Services, IBM

Pralhad Galagali is a Senior Staff Software Engineer on the IBM Global Business Services team at the IBM India Software Lab in Bangalore. Pralhad has 11 years of experience in information technology and has worked as a Developer, Development Lead, Test Engineer, and Support Engineer on IBM products such as Tivoli Directory, Tivoli Directory Integrator, and WebSphere Telecom Web Services Server. You can contact Pralhad at

Dhandapani Shanmugam (, Solution Architect, Industry Solutions Communications Sector team , IBM

Dhandapani Shanmugam is a Solution Architect on the Industry Solutions Communications Sector team at the IBM India Software Labs in Bangalore. He has 10 years of IT experience and has worked on many IBM telecom products, including WebSphere Software for Telecom, WebSphere Everyplace Server for Telecom, WebSphere Everyplace Access, and WebSphere Everyplace Mobile Portal. He holds patents in the areas of mobile computing, telecommunications, application servers, and XML. He has co-authored an IBM Redbook on WebSphere Telecom Web Services Server, and has authored developerWorks articles on mobile solutions. Dhandapani holds a Bachelor of Engineering degree in Electronics and Communication Engineering from Bhartiyar University in Coimbatore, and a Master of Science degree in Software Systems from Birla Institute of Technology and Science in Pilani. You can contact Dhandapani at

04 April 2012

Also available in Chinese

What are security roles and mappings?

A security role is an application-specific logical grouping of users, classified by common traits such as profile and job responsibility. When an application is deployed, roles are mapped to security identities such as a user or group, and based on this, mapping, a user with a certain security role has associated access rights to an application. It is the responsibility of the application deployer to map the security roles and security identities at deployment time to ensure that the correct users/groups are granted access to the appropriate applications.

IBM® WebSphere® Application Server contains basic facilities for mapping users to roles, and it lets you plug in third-party systems tor manage user authentication and authorization.

Websphere Telecom Web Services Server security role mappings

WebSphere TWSS provides a policy-based mechanism to authorize access to service interfaces, which limits the value of J2EE role-based security for individual services. However, in the case of composite services, where multiple service interfaces are used in a composite application, security roles are more useful, as they can ensure that users are authorized to access the appropriate underlying service piece-parts. Security roles are especially useful for composite service interfaces, where different operations access different back-end web services.

Using LDAP for security role mapping

TWSS requires security roles mapped to the user/group in order to administer different tasks. LDAP provides the application protocol to access and maintain user/group directory information services over the Internet. This article shows you how to integrate WebSphere TWSS with the IBM Tivoli® Directory Server (TDS) for security role mapping. You can also use the steps in this article for LDAP V3 implementation. This article also provides a sample Java®-based tool to generate an LDAP Data Interchange Format (LDIF) file that has different TWSS users/groups. You can use the generated LDIF file to import user/group entities into LDAP. The sample tool is only intended to generate a few entries to test the sample setup, and should not be used as a generic LDIF generation tool for high-volume production use.

Websphere Telecom Web Services Server user groups and security roles

You can map security roles to users or groups during deployment. Roles are initially mapped to groups of users so that if specific users change, the role mapping does not need to change. These groups should be defined prior to running the configuration process. You can then change the group by adding or deleting users, without having to change the initial configuration.

Each service implementation should have one or more roles for its interfaces defined at the time of deployment. For example:

  • TWSSAdministrator -- TWSS Admin Console role used by all TWSS web services
  • AdmissionControlAdmin – Admin role for Admission Control service
  • FaultAlarmAdmin – Admin role for FaultAlarm service
  • NetworkResourcesAdmin - Admin role for Admission Control service
  • SMSSMPPAdmin – Admin role for Admission Control service
  • PXNotifyAdmin - Admin role for Px Notification Service
  • UsageRecordAccess - Access role for Usage Record service

The table below shows some of the generic groups defined and their role mapping in TWSS:

Table 1. Group names and role mappings
Group nameRole mappingDescription
PolicyAdminGroupPolicyAdministratorAdministrator of policies
All authenticated usersPolicyAccessorAnyone accessing policy values
All authenticated usersAll other web service interface rolesClients of the web services
NotifyAdminGroupNotifyManagementAdministrationRoleAdministrator of the notifications
TWSSAdminGroupTWSS Administration Console Administrator, Parlay Administrator, WEST administratorAdministrator of TWSS Administration Console or Parlay Administration Console

Configuring security role mapping with Tivoli Directory Server

This section shows you how to configure security role mapping for TWSS and use TDS as the directory entity that stores the users/groups. The steps assume that TDS is the LDAP directory server.

Preparing the Tivoli Directory Server system with required users/groups

The first step is to prepare the TDS system with the required users/groups. The GENTWSSLdif utility helps you create the required users/groups.

  1. Extract the file.
  2. From the extracted folder, execute the command java –jar GENTWSSLdif.jar. Make sure that JAVA_HOME is set to the correct version of Java installed on your system.
  3. The GENTWSSLdif utility displays its GUI:
    Figure 1. LDIF utility
    LDIF utility
    • Base Suffix -- The base distinguished name that you created. It can be new or already existing.
    • User Data File Location -- The GENTWSSLdif\Data\ folder. The data folder has three XML files:
      • Users.xml -- This file contains the entry for each LDAP users. The user data file location should point to this users.xml file. Each user to be added is inside the user definition tag <userdef>.
      • Classdef.xml -- A user can be associated with several attributes, such as uid, mobile, and employeenumber. Addition and deletion of the attributes depends on the objectclass associated with each LDAP element. These class definitions are read from the file classdef.xml.
      • ousandgroups.xml -- This file contains entries for organizationUnits and group definitions.

      Before running the utility, edit the above three XML to add required classes, organizational units, groups, and users. The utility will read these XML files and create the LDIF file entries.

    • Output LDIF file location -- Location of the resulting LDIF file. By default, the LDIF file name is TWSS.ldif and is located in the directory GENTWSSLdif\Ldif\.

Importing the LDIF file to Tivoli Directory Server

After you successfully run the GENTWSSLdif utility, an LDIF file is generated. If you use the default options, the file will be named TWSS.ldif and stored in GENTWSSLdif\Ldif\.

  1. Copy the LDIF file (TWSS.ldif) to the machine where the TDS server is installed.
  2. Launch the TDS Configuration Tool: Under the LDIF Tasks tab, select Import LDIF data:
    Figure 2. Importing LDIF file
    Importing LDIF file
  3. Browse to the TWSS.ldif file and click Import. The TWSS LDIF data will be populated.
  4. Check the task messages and ensure that there are no errors.
  5. Launch the TDS Instance Administration Tool:
    Figure 3. Starting TDS
    Starting TDS
  6. Click Start/Stop to start TDS.

Adding Tivoli Directory Server to the WebSphere Application Server application infrastructure

  1. Log on to WebSphere Application Server Admin Console and navigate to Security => Secure administration, applications, and infrastructure:
    Figure 4. TDS configuration in WebSphere Application Server 1
    TDS configuration in WebSphere Application Server 1
  2. Select Standalone LDAP registry as the Available realm definitions and click configure button.
    Figure 5. TDS configuration in WebSphere Application Server 2
    TDS configuration in WebSphere Application Server 2
  3. Provide the following attribute values on the Configuration page shown above:
    • Primary administrative user name -- The distinguished name of a user created during LDIF file generation. For example: cn=John,ou=TWSS,o=ibm.
    • Server user identity -- Choose Automatically generated server identity.
    • Type of LDAP server -- Select IBM Tivoli Directory Server.
    • Host and port -- Provide appropriate host and port values.
    • Base distinguished name -- Provide the value of the organization attribute or base suffix that was mentioned during LDIF file generation. For example: o=ibm.
    • Bind distinguished name and Bind password -- Provide the LDAP admin user name and password as values for the attributes Bind distinguished name and Bind password. For example: cn=root, **** (**** = Password corresponding to cn=root).
  4. Click OK and save the changes.
  5. Check Enable administrative security on the Secure administration, applications, and infrastructure page.

Configuring application-level security roles to user/group mapping

  1. Log on to the WebSphere Application Server Admin Console and navigate to Applications => Enterprise Applications => <Application> => Security role to user/group mapping:
    Figure 6. Security role users/groups
    Security role users/groups
  2. Select an appropriate role that needs to be mapped to the LDAP user/group.
  3. Click Look up users for user mapping or Look up groups for group mapping.
  4. Role and users mapping: Click Search to list the existing users in the LDAP registry. Choose an appropriate user and map the role accordingly:
    Figure 7. Security role configuration 1
    Security role configuration 1
  5. Role and groups mapping: Click Search to list the existing groups in the LDAP registry. Choose an appropriate group and map the role accordingly:
    Figure 8. Security role configuration 2
    Security role configuration 2
  6. Click OK and then Save to save the changes.

After you have completed the above steps, restart the server so that your changes to the security configuration will take effect. Since the security roles are mapped to the groups, you can now update a user, add a new user to a group, or delete a user from a group at the TDS side using its client tools.


Code sampleGENTWSSLdif.zip17 KB


  • WebSphere Software for Telecom resources
  • IBM Tivoli Directory Server resources
  • WebSphere resources
  • developerWorks resources
    • Trial downloads for IBM software products
      No-charge trial downloads for selected IBM® DB2®, Lotus®, Rational®, Tivoli®, and WebSphere® products.
    • developerWorks blogs
      Join a conversation with developerWorks users and authors, and IBM editors and developers.
    • developerWorks cloud computing resources
      Access the IBM or Amazon EC2 cloud, test an IBM cloud computing product in a sandbox, see demos of cloud computing products and services, read cloud articles, and access other cloud resources.
    • developerWorks tech briefings
      Free technical sessions by IBM experts to accelerate your learning curve and help you succeed in your most challenging software projects. Sessions range from one-hour virtual briefings to half-day and full-day live sessions in cities worldwide.
    • developerWorks podcasts
      Listen to interesting and offbeat interviews and discussions with software innovators.
    • developerWorks on Twitter
      Check out recent Twitter messages and URLs.
    • IBM Education Assistant
      A collection of multimedia educational modules that will help you better understand IBM software products and use them more effectively to meet your business requirements.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into WebSphere on developerWorks

Zone=WebSphere, SOA and web services
ArticleTitle=Integrating WebSphere Telecom Web Services Server with Tivoli Directory Server for security role mapping