Configuring the IBM InfoSphere Information Server services tier to use PAM (Linux, UNIX)

Configuring PAM for the services tier is optional. Configure PAM only if you want the services tier to use PAM for authentication. Unlike the engine tier, the services tier can authenticate through LDAP without PAM. PAM configuration of the services tier is only supported with IBM® WebSphere® Application Server Network Deployment

Before you begin

To complete these tasks, you must have a working knowledge of PAM and the authentication modules and strategies.

About this task

Consider these reasons why you might configure PAM on the services tier:
  • Multiple PAM modules can be configured to allow fallback authentication options. For example, you can configure an LDAP server as the primary user registry for authentication and also configure a fallback to local operating system authentication in case the LDAP authentication fails. Such a configuration allows you to combine multiple user registries.
  • PAM is a way to customize local operating system authentication. For example, PAM can be used to delegate a local operating system authentication to an LDAP server.

PAM provides authentication support only (verification of the user ID and password). InfoSphere® Information Server also requires user and group membership information to determine the roles assigned to a user used for authorization decisions. PAM does not provide user and group membership support. InfoSphere Information Server determines user and group membership by using two possible mechanisms:

  1. By default, it looks in the /etc/passwd and /etc/group files.
  2. You can specify the user and group files to use as PAM registry configuration options.
Restrictions:
  • If you configure PAM for use with InfoSphere Information Server, it is strongly recommended that you not run IBM WebSphere Application Server Network Deployment in a clustered environment. Because PAM relies on local files to determine user and group memberships, you would need to ensure that the user and group files are in sync across the nodes. Unexpected results can occur if the files become out of sync.
  • The PAM user registry is supported as a stand-alone user registry and is not supported when using a WebSphere federated user registry.
  • When a local operating system PAM module is used in the PAM configuration, IBM WebSphere Application Server Network Deployment must be run as root. When a local operating system PAM module is not configured, IBM WebSphere Application Server Network Deployment can be run as a non-root user. This restriction is true for all supported operating systems.

Perform this task on the computer that hosts the services tier. PAM support is specific to each platform.

Procedure

  1. Add to or create the PAM configuration file on your platform.
  2. Configure IBM WebSphere Application Server Network Deployment.
    1. Log in to the IBM WebSphere Application Server Network Deployment Administrative console.
    2. Navigate to the security section of the IBM WebSphere Application Server Network Deployment Administrative console. Select Security > Global Security.
    3. In the User account repository section, select Standalone custom registry from the Available realm definitions field and click Configure.
    4. In the Primary administrative user name field, type the administrator user name, which is a valid PAM user ID.
    5. Select the server identity that is stored in the repository. Enter the valid PAM user ID and password.
    6. Ensure that the custom registry class name is the following string: com.ibm.iis.isf.j2ee.impl.was.security.WASExtendedCustomUserRegistry. Click Apply.
    7. Complete this step only if you want to use files other than the local operating system authentication files. In the Custom Properties section, select New, define the following properties and values, and click OK.
      Property Value
      com.ibm.iis.isf.j2ee.impl.was.security.\
      WASExtendedCustomUserRegistry.usersFile
      The file where the user information is stored. The information in the file must be stored in the same manner as it would in the /etc/passwd file. If this property is not specified, the default user registry file /etc/passwd is used.
      com.ibm.iis.isf.j2ee.impl.was.security.\
      WASExtendedCustomUserRegistry.groupsFile
      The file where the group information is stored. The information in the file must be stored in the same manner as it would in the /etc/groups file. If this property is not specified, the default group registry file /etc/groups is used.
      com.ibm.iis.isf.j2ee.impl.was.security.\
      WASExtendedCustomUserRegistry.moduleName
      You can configure multiple PAM modules with different names on the same computer. Choose the one that you want to specify for this configuration. If this property is not specified, then the default value isfpam is chosen and a module with that file name is expected to be in the pam.d configuration directory.
    8. Test your configuration.
      In the Standalone Custom Registry section, click Set as current. If an error occurs, the application server is unable to authenticate with the internal user registry by using the credentials that you provided. Recheck your configuration.
    9. Click Apply, click Save, and log out of the console.
  3. Stop the application server.
    Attention:
    • When stopping the application server processes, use the old user name and password, that is, the credentials of the application server administrator from the previous user registry.
    • It is recommended that you not configure PAM in a clustered installation. However, if you do, first stop the application servers and the node agents, and then stop the Deployment Manager.
  4. Log in to the computer on which the AppServerAdmin tool is installed. This tool is on the same computer as the services tier, in the IS_install_dir/ASBServer/bin directory.
  5. From the command line, run the AppServerAdmin command. This command propagates the administrator user name and password to the application server. Specify the same user ID and password specified in the Administrative console in step 2.d
    IS_install_dir/ASBServer/bin/AppServerAdmin.sh -was
    -user was_admin_user_id -password was_admin_password
    Tip: The -password parameter is optional. If not provided, you will be prompted for a password. If you do provide a password, it can be either plain text or an encrypted string that has been created with the encrypt command.
  6. Restart the application server. In a clustered installation, start the Deployment Manager, the node agents, and then the application servers.
    If one of the node agents does not start, the node agent cannot be restarted because the user registry configuration at the Deployment Manager and node levels do not match. To fix this problem, run the application server syncNode command to synchronize the node with the Deployment manager.
    1. Log in to the node.
    2. Run the syncNode command. (The ⇒ character indicates a line continuation.)
      cd WAS_install_dir/AppServer/profiles/custom_profile/bin
      ./syncNode.sh dmgr_hostname dmgr_port -user was_admin_username ⇒
      -password was_admin_password
      dmgr_hostname
      The host name of the computer on which the Deployment Manager is running.
      dmgr_port
      The port number of the Deployment Manager. (The default is 8879.)
      was_admin_username and was_admin_password
      The administrator user name and password for the application server.
  7. Check the application server log files to ensure that no errors occurred.
  8. Verify the configuration by logging in to the IBM InfoSphere Information Server Web console with the new user ID and password.