Configuring PAM for the services tier is optional. Configure
PAM only if you want the services tier to use PAM for authentication.
Unlike the engine tier, the services tier can authenticate through
LDAP without PAM. PAM configuration of the services tier is only supported
with IBM®
WebSphere® Application Server Network
Deployment
Before you begin
To complete these tasks, you must have a working knowledge
of PAM and the authentication modules and strategies.
About this task
Consider these reasons why you might configure PAM on the
services tier:
- Multiple PAM modules can be configured to allow fallback authentication
options. For example, you can configure an LDAP server as the primary
user registry for authentication and also configure a fallback to
local operating system authentication in case the LDAP authentication
fails. Such a configuration allows you to combine multiple user registries.
- PAM is a way to customize local operating system authentication.
For example, PAM can be used to delegate a local operating system
authentication to an LDAP server.
PAM provides authentication support only (verification of
the user ID and password). InfoSphere® Information Server also
requires user and group membership information to determine the roles
assigned to a user used for authorization decisions. PAM does not
provide user and group membership support. InfoSphere Information Server determines
user and group membership by using two possible mechanisms:
- By default, it looks in the /etc/passwd and /etc/group files.
- You can specify the user and group files to use as PAM registry
configuration options.
Restrictions:
- If you configure PAM for use with InfoSphere Information Server,
it is strongly recommended that you not run IBM
WebSphere Application Server Network
Deployment in a clustered environment. Because PAM relies on local
files to determine user and group memberships, you would need to ensure
that the user and group files are in sync across the nodes. Unexpected
results can occur if the files become out of sync.
- The PAM user registry is supported as a stand-alone user registry
and is not supported when using a WebSphere federated user registry.
- When a local operating system PAM module is used in the PAM configuration, IBM
WebSphere Application Server Network
Deployment must be run as root. When a local operating system PAM
module is not configured, IBM
WebSphere Application Server Network
Deployment can be run as a non-root user. This restriction is true
for all supported operating systems.
Perform this task on the computer that hosts the services
tier. PAM support is specific to each platform.
Procedure
- Add to or create the PAM configuration file on your platform.
- Configure IBM
WebSphere Application Server Network
Deployment.
- Log in to the IBM
WebSphere Application Server Network
Deployment Administrative console.
- Navigate to the security section of the IBM
WebSphere Application Server Network
Deployment Administrative console. Select .
- In the User account repository section,
select Standalone custom registry from the Available realm
definitions field and click Configure.
- In the Primary administrative
user name field, type the administrator user name, which
is a valid PAM user ID.
- Select the server identity that is stored in the repository.
Enter the valid PAM user ID and password.
- Ensure that the custom registry class name is the following
string: com.ibm.iis.isf.j2ee.impl.was.security.WASExtendedCustomUserRegistry.
Click Apply.
- Complete this step only if you want to use files other
than the local operating system authentication files. In the Custom
Properties section, select New,
define the following properties and values, and click OK.
Property |
Value |
com.ibm.iis.isf.j2ee.impl.was.security.\
WASExtendedCustomUserRegistry.usersFile
|
The file where the user information is stored. The information
in the file must be stored in the same manner as it would in the /etc/passwd file.
If this property is not specified, the default user registry file /etc/passwd is
used. |
com.ibm.iis.isf.j2ee.impl.was.security.\
WASExtendedCustomUserRegistry.groupsFile
|
The file where the group information is stored. The information
in the file must be stored in the same manner as it would in the /etc/groups file.
If this property is not specified, the default group registry file /etc/groups is
used. |
com.ibm.iis.isf.j2ee.impl.was.security.\
WASExtendedCustomUserRegistry.moduleName
|
You can configure multiple PAM modules with different names
on the same computer. Choose the one that you want to specify for
this configuration. If this property is not specified, then the default
value isfpam is chosen and a module with that file
name is expected to be in the pam.d configuration directory. |
- Test your configuration.
In the Standalone
Custom Registry section, click Set as current.
If an error occurs, the application server is unable to authenticate
with the internal user registry by using the credentials that you
provided. Recheck your configuration.
- Click Apply, click Save,
and log out of the console.
- Stop the application server.
Attention:
- When stopping the application server processes, use the old user
name and password, that is, the credentials of the application server
administrator from the previous user registry.
- It is recommended that you not configure PAM in a clustered installation.
However, if you do, first stop the application servers and the node
agents, and then stop the Deployment Manager.
- Log in to the computer on which the AppServerAdmin tool
is installed. This tool is on the same computer as the services tier,
in the IS_install_dir/ASBServer/bin directory.
- From the command line, run the AppServerAdmin command.
This command propagates the administrator user name and password to
the application server. Specify the same user ID and password specified
in the Administrative console in step 2.d
IS_install_dir/ASBServer/bin/AppServerAdmin.sh -was
-user was_admin_user_id -password was_admin_password
Tip: The -password parameter is optional. If not
provided, you will be prompted for a password. If you do provide a
password, it can be either plain text or an encrypted string that
has been created with the encrypt command.
- Restart the application server. In a clustered installation,
start the Deployment Manager, the node agents, and then the application
servers.
If one of the node agents does not start, the
node agent cannot be restarted because the user registry configuration
at the Deployment Manager and node levels do not match. To fix this
problem, run the application server syncNode command
to synchronize the node with the Deployment manager.
- Log in to the node.
- Run the syncNode command. (The ⇒
character indicates a line continuation.)
cd WAS_install_dir/AppServer/profiles/custom_profile/bin
./syncNode.sh dmgr_hostname dmgr_port -user was_admin_username ⇒
-password was_admin_password
- dmgr_hostname
- The host name of the computer on which the Deployment Manager
is running.
- dmgr_port
- The port number of the Deployment Manager. (The default is 8879.)
- was_admin_username and was_admin_password
- The administrator user name and password for the application server.
- Check the application server log files to ensure that no
errors occurred.
- Verify the configuration by logging in to the IBM
InfoSphere Information Server Web console with
the new user ID and password.