Creating an UnAuth ACL for ISAM

Answer

STATEMENT OF INTENT

This document serves as a 'How to' example of creating an Unauthenticated ACL in IBM Tivoli Access Manager for eBusiness 6.1. This example takes into account two ways to create an ACL, via the PDADMIN Tool or Web Portal Manager (WPM). This is also valid for other versions of Access Manager.

For this example, the ITAM Server is installed and running on a Windows 2003 Server; however, this example will work the same for any ITAM supported operating system. Also, it is assumed that the ITAM Web Portal Manager (WPM) server is already configured, if using WPM for creation of the ACL, or the PDADMIN command line tool works properly . Also, please install the latest patches and the latest version of the Web Administration Tool (See Related Information for link).

CREATING AN UNAUTHENTICATED ACL USING PDADMIN

To answer this question, the quick answer is basically to copy the default-webseal ACL and then add the Trx permission's to the Unauthenticated entry.

This is done by first logging into PDADMIN using the sec_master admin ID

pdadmin> login
Enter User ID: sec_master
Enter Password: ********
pdadmin sec_master>


Once logged in and authenticated to PDADMIN, issue an acl show to review the default-webseal ACL.


pdadmin sec_master> acl show default-webseal
    ACL Name: default-webseal
    Description: Default WebSEAL ACL
    Entries:
        Group iv-admin TcmdbsvaBRrxl
        Group webseal-servers Tgmdbsrxl
        User sec_master TcmdbsvaBRrxl
        Any-other Trx
        Unauthenticated T


Using the default-webseal ACL as a template, just use the PDADMIN command line options to create and then modify the new ACL.


pdadmin sec_master> acl create UnAuthACL
pdadmin sec_master> acl modify UnAuthACL set group iv-admin TcmdbsvaBRrxl
pdadmin sec_master> acl modify UnAuthACL set group webseal-servers Tgmdbsrxl
pdadmin sec_master> acl modify UnAuthACL set user sec_master TcmdbsvaBRrxl
pdadmin sec_master> acl modify UnAuthACL set any-other Trx
pdadmin sec_master> acl modify UnAuthACL set unauthenticated Trx


Once complete, an ACL show will display the output of the newly created ACL.


pdadmin sec_master> acl show UnAuthACL
    ACL Name: UnAuthACL
    Description:
    Entries:
        Group iv-admin TcmdbsvaBRrxl
        Group webseal-servers Tgmdbsrxl
        User sec_master TcmdbsvaBRrxl
        Any-other Trx
        Unauthenticated Trx
pdadmin sec_master>

This ACL is now ready to be used as the administrator sees fit.

CREATING AN UNAUTHENTICATED ACL USING WPM

As in the above example, the answer to this question is to basically make a copy of the default-webseal ACL and then add the Trx permission's to the Unauthenticated entry. But this time, the Web Portal Manager will be used to create the ACL with the clone command.

This is done by first logging into the Integrated Solution Console and then logging in with the sec_master administrator ID while accessing and expanding the Web Portal Manager section.

Once, the administrator is authenticated, expand the ACL section and then select the 'List ACLs' option.

Once selected, a list of all ACLs currently created within IBM Tivoli Access Manager for eBusiness are displayed. Select the default-webseal ACL to pull up the details for that ACL.

A feature of Web Portal Manager, allows the ability to copy or clone the ACL. This saves a lot of time, when a new ACL is needed, with only small changes, as is the case when creating an Unauthenticated ACL. Click on the 'Clone' button to continue....







Once clicked, WPM gives the opportunity to rename the ACL Name and also the Description. A unique name needs to be created, at this time, that the cloned ACL will use. For this example, UnAuthACL is used. To complete the process, click on the 'Clone' button to continue and create the new ACL.






As stated, the new ACL has been created. Click 'Done' to continue....







Once back at the list of ACLs on the system, select the new ACL that was just created, again, for this example the 'UnAuthACL'.

As can be seen, this is an exact copy of the default-webseal ACL. The only thing needed, to make the ACL Unauthenticated is to edit the permission's. To do this, select the 'Permission's' line next to the entry type 'Unauthenticated'.

This brings up the display that allows the permission's to be edited. A list of the allowable permission's are listed. The Traverse (T) permission should already be selected. Just 'Select' the Read (r) and Execute (x) permission's and then select 'Apply' to modify the new ACL.




A new list of the 'UnAuthACL' shows the modified Permissions.






The new Unauthenticated ACL is now created successfully and can be used as needed.


*WARNING* An unauthenticated ACL, attached to a specific object will bypass all ITAM security for that object and all child objects. Use with extreme care.