Configuring a WebSEAL instance

Edit online

Use the isamcfg tool to configure WebSEAL as a point of contact and policy enforcement point for an appliance that has Advanced Access Control activated.

Before you begin

Make sure that your WebSEAL server is listening for connections on the appropriate IP addresses and port numbers. You can control the IP address and port number by using the WebSEAL configuration file. The IP address is controlled by the [server] network-interface configuration option, and the port numbers are controlled by the [server] https-port and [server] http-port options.

To use the isamcfg tool, you must:
  • Obtain an IBM® JRE, version 8.0 or later that is supported by the version of PDJrte installed.
  • Ensure that the Java Runtime used to start the isamcfg tool is configured into the Verify Identity Access domain in full mode that uses the PDJRTE. An error is displayed if this condition is not met. For more information about using the PDJRTE, see http://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/60/iKeyman.8.User.Guide.pdf.
  • Ensure that the isamcfg tool is able to access the application interface for Advanced Access Control.
  • Run the command from the appliance that hosts the reverse proxy instance, if the instance is a restricted node in a cluster. Also, you must use the command-line interface to run the command.
For IBM Verify Identity Access WebSEAL, version 7.0 or later, you must also meet the following conditions:
  • Configure the com.ibm.security.cmskeystore.CMSProvider in the java.security file, which is in $JAVA_HOME/lib/security, of the IBM JRE. The isamcfg tool uses the ikeycmd command to manipulate key database files. This requires the JRE to have the CMS provider that is configured in the java.security file.
  • Ensure that the ikeycmd tool in the $JAVA_HOME/bin is on the system path.

For Tivoli Access Manager for e-business WebSEAL versions 6.1.1 or prior, ensure that gsk7ikm tool is on the system path.

Run the tool on the same system where WebSEAL is located.

About this task

This procedure connects the WebSEAL software version 7.* to Verify Identity Access.

Note: This procedure is not intended for deployments that have a Verify Identity Access appliance with the WebSEAL function.

Procedure

  1. Download the isamcfg.jar from the Verify Identity Access appliance with Advanced Access Control.
  2. On the WebSEAL machine, set up a JAVA_HOME environment variable for the JRE:
    For example:

    export JAVA_HOME=/opt/ibm/java-x86_64-60/jre, or

    export JAVA_HOME=/opt/IBM/WebSphere/AppServer/java/jre

  3. Add $JAVA_HOME/bin to the path export PATH=$JAVA_HOME/bin:$PATH.
  4. From the command line, type: 
    java -jar isamcfg.jar -action config -cfgfile /path/to/webseald.conf
  5. Use the isamcfg tool to complete the configuration. For configuration details, see isamcfg WebSEAL configuration worksheet.

Results

When you complete the configuration, a summary screen displays indicating that the configuration is complete.