Configuring Tivoli Access Manager for authentication only

IBM® WebSphere® Portal and IBM WebSphere Application Server support the Trust Association Interceptors (TAI) that Tivoli provides. If you use Tivoli® Access Manager for authorization, you must also use Tivoli Access Manager for authentication. Using Tivoli Access Manager only for authorization is not supported.

About this task

Important information about junctions: To integrate WebSphere Portal and Tivoli Access Manager for authentication, you must create one or more junctions in WebSEAL that points to WebSphere Portal. Starting with WebSphere Portal Version 8.0, virtual host junctions are the only supported junction type between WebSEAL and WebSphere Portal. You can configure the virtual host junction to function either as a TCP or SSL junction. Then, you use a Trust Association Interceptor (TAI) in WebSphere Application Server to accomplish single sign-on (SSO). You can also have WebSEAL generate LTPA tokens to assert the user identity to WebSphere Portal.
Notes:
  • The term pdadmin is a command-line utility that supports Tivoli Access Manager administrative functions.
  • This procedure requires that you are familiar with WebSEAL administration concepts as presented in the WebSEAL Administrator's Guide. For complete descriptions of all the pdadmin command-line options to create junctions, refer to the Tivoli Access Manager and WebSphere Application Server documentation.
  • This example assumes that HTTP Server is the web server.
  • These instructions create a virtual host junction that use TCP. The junction uses a TAI in WebSphere Application Server to accomplish the SSO identity assertion. Refer to the appropriate Tivoli WebSEAL Administration Guide and WebSphere Application Server documentation for information about SSL junctions or generating WebSEAL LTPA Tokens.
Clustered environments: Complete the validate-pdadmin-connection task on all nodes in the cluster. Complete all other steps on the primary node.

Procedure

  1. Start the Tivoli Access Manager policy and authorization servers, which are required for successful configuration and for single sign-on (SSO) to occur.
  2. Create your junctions on the WebSEAL server. Refer to the Tivoli® Access Manager for e-business documentation for guidance on junction creation. Complete the following steps to create a TCP junction:
    1. Open a pdadmin command prompt from any node that has a Tivoli Access Manager run time component installed. You can use the Tivoli Access Manager Server node, WebSEAL node, or the WebSphere Portal node.
    2. Enter the following command on one line: 
      pdadmin> server task WebSEAL-instance_name-webseald-WebSEAL-HostName virtualhost create -t type -h hostname [options] vhost-label
      The following information describes the required parameters in the pdadmin command:
      • The virtual host label (vhost-label) is the name for the virtual host junction.
      • Virtual host junctions are always mounted at the root of the WebSEAL object space.
      • You can refer to a junction in the pdadmin utility with this label.
      • The virtual host junction label must be unique within each instance of WebSEAL.
      • Because the label represents virtual host junctions in the protected object space, the label name must not contain the forward slash character (/).
      • -t type: This parameter defines whether the junction is encrypted (-t ssl) or not encrypted (-t tcp). This parameter is required when you create a virtual host junction.
      • -h hostname: This parameter defines the backend server to which the junction connects. In most situations, the host name is the HTTP server that sits in front of WebSphere Portal. This parameter is required when you create a virtual host junction.
      [options] include the following optional parameters:
      • -p port: This parameter defines the port number for the backend server to which the junction connects. If not specified, the default value is 80 for HTTP or 443 for HTTPS.
      • -v vhost_name[:port]: This parameter is the virtual host name and port number that defines the junction. WebSEAL maps incoming requests to this host name and port to this junction. If not specified, the values default to the -h hostname and -p port values.
      • -c header_type: This parameter inserts the Tivoli Access Manager client identity in HTTP headers across the junction. The header_type argument can include any combination of the following Tivoli Access Manager HTTP header types:
        • {iv_user|iv_user-l}
        • iv_groups
        • iv_creds
        • all
        The header types must be comma-separated, and cannot have a space between the types. For example: -c iv_user,iv_groups. Specifying –c all is the same as specifying –c iv_user,iv_groups,iv_creds. This parameter is valid for all junctions except for the type of local.
      The following information is a sample command with the type set to TCP:
      pdadmin> server task default-webseald-webseal.ibm.com virtualhost create -t tcp -v p.s.com -d /web/doc vhost-local-ps-http
  3. Optional: If you plan to use an SSL junction, go the related links. Follow the instructions in steps 1 through 3 of the topic about setting up SSL. Then, complete the following steps to create the virtual host junction:
    1. Use the IBM Key Management utility to load the web server certificate into the keyring for the appropriate instance of WebSEAL. See the HTTP Server documentation for more details.
    2. Restart WebSEAL.
  4. Enter the following tasks on the pdadmin command line to create the trusted user account:
    Tip: This step is required only for TAI junctions. Skip this step if you created an LTPA junction. An LTPA junction is created if you entered the -A parameter. Refer to the Tivoli® Access Manager for e-business documentation for this advanced configuration.
    The trusted user account in the Tivoli Access Manager user registry must be the same as the one WebSphere Application Server is configured to use. It is the ID that WebSEAL uses to identify itself to WebSphere Application Server and it is one of the underlying TAI security requirements.
    Note: To prevent potential vulnerabilities, do not use the sec_master or wpsadmin users for the trusted user account. The trusted user account must be a dedicated user account for the purposes of communication between WebSEAL and the TAI.
    1. pdadmin> user create webseal_userid webseal_userid_DN firstname surname password
    2. pdadmin> user modify webseal_userid account-valid yes
  5. Run the following task to validate that the PdPerm.properties file exists:
    Table 1. Tasks to validate that the PdPerm.properties file exists by operating system
    Operating system Task
    Windows ConfigEngine.bat validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the wp_profile_root\ConfigEngine directory
    AIX®SolarisLinux ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the wp_profile_root/ConfigEngine directory
    IBM i ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDdAdminPwd=password from the wp_profile_root/ConfigEngine directory
    Clustered environments:
    • Complete this step on all nodes.
    • WasPassword is the Deployment Manager administrative password.
    If the task does not run successfully: Run the run-svrssl-config task to create the properties file, see Creating the AMJRTE properties file, then run the validate-pdadmin-connection task again. If the task is not successful after a second attempt, do not proceed with any subsequent steps. The fact that the task does not run successfully indicates that your portal cannot connect to the Tivoli Access Manager server.
  6. Use a text editor to open the wkplc_comp.properties file in the wp_profile_root/ConfigEngine/properties directory. Enter the following parameters under the WebSphere Application Server WebSEAL TAI parameters heading:
    1. For wp.ac.impl.TAICreds, type the headers that are inserted by WebSEAL that the TAI uses to identify the request as originating from WebSEAL. Refer to the values entered for the -c header_type parameter. For example, if you entered -c iv-user, then the value for wp.ac.impl.TAICreds is iv-user. If you entered -c all, then the value for wp.ac.impl.TAICreds is iv-user,iv-groups,iv-creds.
      Important: Never specify a header name for wp.ac.impl.TAICreds that the WebSEAL server is not sending over the junction.
    2. For wp.ac.impl.hostnames, enter the fully qualified URL for WebSphere Portal. This value must match the -h and -p parameters from the junction creation command.
    3. For wp.ac.impl.ports, enter the port number that is used to access the host server that is identified in wp.ac.impl.hostnames. This value must match the -p parameter from the junction creation command.
    4. For wp.ac.impl.loginId, enter the reverse proxy identity that is used when you create a TCP junction. This value must match the trusted user account.
    5. For wp.ac.impl.BaUserName, enter the reverse proxy identity that is used when you create an SSL junction.
    6. For wp.ac.impl.BaPassword, enter the password for the SSL junction reverse proxy ID.
    7. Save your changes to the properties file.
  7. The new TAI implementation version is only available as a download and must be added to the system. See the related links section to download the Extended Tivoli Access Manager Trust Association Interceptor Plus (ETAI) and add the binary files to your environment. WebSphere Application Server deprecated the TAI implementation that is available with WebSphere Portal.
  8. Optional: If you must use the deprecated TAI implementation, complete the following steps:
    1. Open the wkplc_comp.properties file.
    2. Add the TAMTAIName parameter to the WAS WebSEAL TAI section.
    3. Enter com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus as the value.
  9. Install and configure the ETAI. Then, restart your server.
  10. Run the following task to configure TAI for Tivoli Access Manager:
    Table 2. Task to configure TAI for Tivoli Access Manager by operating system
    Operating system Task
    Windows ConfigEngine.bat enable-tam-tai -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the wp_profile_root\ConfigEngine directory.
    AIXSolarisLinux ./ConfigEngine.sh enable-tam-tai -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the wp_profile_root/ConfigEngine directory.
    IBM i ConfigEngine.sh enable-tam-tai -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password from the wp_profile_root/ConfigEngine directory.
    Clustered environments: WasPassword is the Deployment Manager administrative password.
  11. Optional: Enable user provisioning, if required. See the related links section for information.
  12. If you are using Tivoli Access Manager in a stand-alone environment that does not include a web server, complete the following steps:
    1. Log on to the WebSphere Integrated Solutions Console.
    2. Go to Servers > Server Types > Web application servers > WebSphere_Portal > Web container settings > Web Container and then click Additional Properties > Custom properties.
    3. Click New and then add the com.ibm.ws.webcontainer.extracthostheaderport custom property with a value of true.
    4. Click OK.
    5. Click New and add the trusthostheaderport custom property with a value of true.
    6. Click OK.
    7. Click Save to save your changes.
    8. Log out of the WebSphere Integrated Solutions Console.
  13. Stop and restart the appropriate servers to propagate the changes. For specific instructions, see Starting and stopping servers, deployment managers, and node agents.
  14. Go to the WebSEAL node and edit the webseald-instance.conf file for the appropriate WebSEAL instance. An example is webseald-default.conf. This file sets the basicauth-dummy-passwd value to the password for the ID that WebSEAL uses to identify itself to WebSphere Application Server. This user ID and password were created in an earlier step. Stop and start the WebSEAL server before you continue.
  15. If your WebSEAL instance is on the Windows operating system, limit the length of the generated URLs. Edit the webseald-instance.conf file and change the process-root-requests property value to filter to avoid problems with WebSEAL processing.
  16. Import WebSphere Portal users and groups into Tivoli Access Manager. Enter the following commands on the Tivoli Access Manager administrative command line, where wpsadmin is the user ID for the administrator, and wpsadmins is the administrators group name. The fully distinguished names of these user and group IDs vary depending on your LDAP settings. 
     user import wpsadmin uid=wpsadmin,cn=users,dc=ibm,dc=com
 user modify wpsadmin account-valid yes
 group import wpsadmins cn=wpsadmins,cn=groups,dc=ibm,dc=com
  17. Some functions of WebSphere Portal require the use of the PUT, and DELETE HTTP method. By default, WebSEAL does not allow these requests. You must either allow this method at the applicable WebSEAL ACL and web server, or change the HTTP methods in the x-method-override configuration.