Enabling the JACC provider for Tivoli Access Manager

The Java™ Authorization Contract for Container (JACC) provider for Tivoli® Access Manager is configured by default. Use this topic to enable the JACC provider for Tivoli Access Manager.

About this task

Restriction: Do not perform this task if you are configuring the JACC provider for Tivoli Access Manager to supply authentication services only. Only perform this task for installations that require both Tivoli Access Manager authentication and authorization protection.
The JACC provider for Tivoli Access Manager is configured by default. To enable the JACC provider for Tivoli Access Manager, complete the following steps:

Procedure

  1. Click Security > Global security > External authorization providers.
  2. Select the External authorization using a JACC provider option, then click Apply.
  3. Under Related Items, click External JACC provider.
    The JACC provider settings for Tivoli Access Manager are displayed.
  4. Verify that the correct settings are present to work with your Tivoli Access Manager configuration.
    The following list shows the JACC provider configuration settings for Tivoli Access Manager.
    Table 1. JACC provider configuration settings for Tivoli Access Manager. This table describes the JACC provider configuration settings for Tivoli Access Manager.
    Field Value
    Name Tivoli Access Manager
    Description This field is optional and used as a reference.
    J2EE policy class name com.tivoli.pd.as.jacc.TAMPolicy
    Policy configuration factory class name com.tivoli.pd.as.jacc.TAMPolicyConfigurationFactory
    Role configuration factory class name com.tivoli.pd.as.jacc.TAMRoleConfigurationFactory
    JACC provider initialization class name com.tivoli.pd.as.jacc.cfg.TAMConfigInitialize
    Requires the EJB arguments policy context handler for access decisions false
    Supports dynamic module updates true
    For more information, see External Java Authorization Contract for Containers provider settings.
  5. Under Additional properties, click Tivoli Access Manager properties and set the properties that are associated with the embedded Tivoli Access Manager.
    The following table explains the properties that are needed for the embedded Tivoli Access Manager. Some fields do not have default values.
    Table 2. Tivoli Access Manager properties. This table lists the Tivoli Access Manager properties.
    Name Default value Description
    Enable embedded Tivoli Access Manager Unchecked When you select this check box, the embedded Tivoli Access Manager is configured or reconfigured. When you clear this check box, the embedded Tivoli Access Manager is unconfigured.
    Ignore errors during embedded Tivoli Access Manager disablement Unchecked If you check this check box and click OK or Apply, when you unconfigure the embedded Tivoli Access Manager, any unconfiguration errors are ignored and the process completes. If you do not check this check box, unconfiguration errors cause the unconfiguration process to stop.
    Client listening port 8900:8999 When the embedded Tivoli Access Manager is configured and running, it requires several ports to listen for updates to the access control list database for Tivoli Access Manager. The value in this field is a range of port numbers that Tivoli Access Manager can use for this purpose. The first 20% of this range is reserved for the deployment manager. You can enter multiple ranges or individual port numbers in a line separated list. For example:
    8900:8999
    9100:9200
    9999
    Policy server   This field value specifies the name and port number of the configure and running Tivoli Access Manager policy server. The format is server:port

    For example:snapper.ibm.com:7135

    Authorization servers   This field contains the names, port numbers, and priorities of all of the configured and running Tivoli Access Manager authorization servers. This field must contain at least one authorization server. If multiple authorization servers are listed, those servers are used for failover. The server with priority 1 is used first with failover to server priority 2 and so on. The format is server:port:priority with each authorization server listed on a different line. For example:
    snapper.ibm.com:7136:1
    turtle.ibm.com:7136:2
    Authorization user name sec_master This field value specifies the administrative user name for Tivoli Access Manager.
    Administrator user password   This field value specifies the password for Tivoli Access Manager.
    User registry distinguished name suffix   This field value is the suffix that is set up in the user registry to contain the users and groups for Tivoli Access Manager. For example using IBM® Tivoli Directory Server:
    o=ibm,c=au
    Security domain Default This field value specifies the configured security domain to use for the embedded Tivoli Access Manager.
    Administrator user distinguished name   This field specifies the fully distinguished user name of the primary administrative user for WebSphere® Application Server security. For example using IBM Tivoli Directory Server:
    cn=wasadmin,o=ibm,c=au

    For more information, see Tivoli Access Manager JACC provider settings.

  6. Click OK.
  7. Save the settings by clicking Save.
  8. Log out of the WebSphere Application Server administrative console.
  9. Restart WebSphere Application Server.
    The security configuration is now replicated to managed servers and node agents. These other servers within a cell also require restarting before the security changes take effect.