Setting access controls for the proxy

Edit online

Access control lists (ACLs) cannot be managed from the Security Directory Server proxy server. When a proxy server is used, it is the back-end server that enforces access control. The LDAP administrator must ensure that the proper ACLs are created on each of the back-end servers if the ACLs exist on the top-level object of the partition split point.

About this task

Verify Identity Access must have proper access control to allow it to manage users and groups within the suffixes where user and group definitions are maintained. To set the necessary ACLs on the back-end servers to allow Verify Identity Access to manage the partition suffixes, use the Verify Identity Access ivrgy_tool utility with the add-acls parameter.

Procedure

Run the ivrgy_tool utility from any system where the Verify Identity Access Runtime component is installed.
For example, the system where the policy server is installed.
To apply the proper ACLs on each of the back-end servers, run the following command:
```
ivrgy_tool -h backend_host -p backend_port -D ldap_admin_DN \
-w ldap_admin_pwd -d [-Z] [-K ssl_keyfile] [-P ssl_keyfile_pwd] \
[-N label] add-acls domain
```
For more information about the ivrgy_tool utility, see the Reference topics in the IBM Knowledge Center.

Results

The policy server is the only Verify Identity Access component that must be retargeted to the Security Directory Server proxy server as described in Verify Identity Access configuration with the proxy. Other Verify Identity Access components, such as the authorization server or WebSEAL, do not need to be retargeted.

After the policy server is configured, other Verify Identity Access components can be configured normally.

When you configure Verify Identity Access Runtime for other components, the Security Directory Server proxy server host name and port must be specified for the LDAP host name. It is not necessary to indicate any of the back-end servers.