Setting access controls for the proxy

Edit online

Access control lists (ACLs) cannot be managed from the Security Directory Server proxy server. When a proxy server is used, it is the back-end server that enforces access control. The LDAP administrator must ensure that the proper ACLs are created on each of the back-end servers if the ACLs exist on the top-level object of the partition split point.

About this task

Security Verify Access must have proper access control to allow it to manage users and groups within the suffixes where user and group definitions are maintained. To set the necessary ACLs on the back-end servers to allow Security Verify Access to manage the partition suffixes, use the Security Verify Access ivrgy_tool utility with the add-acls parameter.

Procedure

Run the ivrgy_tool utility from any system where the Security Verify Access Runtime component is installed.
For example, the system where the policy server is installed.
To apply the proper ACLs on each of the back-end servers, run the following command:
```
ivrgy_tool -h backend_host -p backend_port -D ldap_admin_DN \
-w ldap_admin_pwd -d [-Z] [-K ssl_keyfile] [-P ssl_keyfile_pwd] \
[-N label] add-acls domain
```
For more information about the ivrgy_tool utility, see the Reference topics in the IBM Knowledge Center.

Results

The policy server is the only Security Verify Access component that must be retargeted to the Security Directory Server proxy server as described in Security Verify Access configuration with the proxy. Other Security Verify Access components, such as the authorization server or WebSEAL, do not need to be retargeted.

After the policy server is configured, other Security Verify Access components can be configured normally.

When you configure Security Verify Access Runtime for other components, the Security Directory Server proxy server host name and port must be specified for the LDAP host name. It is not necessary to indicate any of the back-end servers.