IBM Support

JBoss integration with multiple Access Manager domains

Question & Answer


Question

How to integrate JBoss with an IBM Security Access Manager ( ISAM ) environment which involves multiple domains?

Cause

"ISAM JBoss Enterprise Application Platform Integration Guide" provides instructions how to set up integration between the ISAM and the JBoss in case of the Default domain. However, there are few things to consider when integrating the JBoss with the multiple ISAM domains.

Answer

This technote is addressing the necessary steps to successfully run configuration on the JBoss server when multiple ISAM domains are required to be integrated. The main point to understand is the requirement of creating a separate configuration for each domain. In other words, one must run svrsslcfg command using the "-domain" option for each ISAM domain that is required to be integrated.

Notice! This document is assuming that ISAM domains have already been created and are working without any issues. There have to be webseal and authorization server instances as well as proper user ids created towards each ISAM domain before running configuration commands on the JBoss server.

Syntax and details about using the svrsslcfg can be found from the Access Manager for e-business Version 6.1.1 Authorization Java Classes Developer Reference ( see list of related URLs at the end of the document ).


1) Follow the instructions on the "ISAM JBoss Enterprise Application Platform Integration Guide" ( see list of related URLs at the end of the document ) up to the point where svrsslcfg command is run.

2) Run svrsslcfg command for each ISAM domain

The use of the com.tivoli.pd.jcfg.SvrSslCfg class can be summarized as follows:
java com.tivoli.pd.jcfg.SvrSslCfg -action ( config | unconfig | addsvr | rmsvr | chgsvr | setport | setdblisten | setdbref | replcert }
-admin_id admin_user_ID
-admin_pwd admin_password
-appsvr_id application_server_name
-appsvr_pwd application_server_password
-port port_number
-mode { local | remote }
-host Host_name_of_application_server
-policysvr policy_server_name:port:rank [,...]
-authzsvr authorization_server_name:port:rank [,...]
-cfg_file fully_qualified_name_of_configuration_file
-domain Tivoli_Acccess_Manager_domain
-key_file fully_qualified_name_of_keystore_file
-msg_id message_identifier
-dblisten { true | false }
-dbrefresh refresh_interval_in_seconds
-dbdir name_of_directory_for_local_policy_database
-cfg_action { create | replace }
-certrefresh { true | false }

Examples:
Command for the ISAM domain 1 assuming the name of the domain is "sales":

java -cp /opt/PolicyDirector/java/export/pdjrte/PD.jar com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sales_admin -admin_pwd <passwd> -appsvr_id jboss-sso-sales -port 7131 -mode remote -policysvr <policy server hostname>:7135:1 -authzsvr <authorization server hostname>:7138:1 -cfg_file
<JBOSS_HOME>/standalone/configuration/jboss-sso-sales.properties -key_file <JBOSS_HOME>/standalone/configuration/jboss-sso-sales.ks -domain sales

sales_admin = admin id which has been created on the ISAM domain called "sales"
jboss-sso-sales = name of the application server should be unique inside the ISAM domain
7138 = TCP/IP port of the authorization server instance for the sales


Command for the ISAM domain 2 assuming the name of the domain is marketing:

java -cp /opt/PolicyDirector/java/export/pdjrte/PD.jar com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id marketing_admin -admin_pwd <passwd> -appsvr_id jboss-sso-marketing -port 7132 -mode remote -policysvr <policy server hostname>:7135:1 -authzsvr <authorization server hostname>:7140:1 -cfg_file <JBOSS_HOME>/standalone/configuration/jboss-sso-marketing.properties -key_file <JBOSS_HOME>/standalone/configuration/jboss-sso-marketing.ks -domain marketing

marketing_admin = admin id which has been created on the ISAM domain called "marketing"
jboss-sso-sales = name of the application server should be unique inside the ISAM domain
7140 = TCP/IP port of the authorization server instance for the marketing

Notice that one will need to modify the above commands to reflect your own environment and the commands here merely give an idea of the usage.

3) Modify JBoss server configuration

Add following configurations to the
<security-domains> section into your
<JBOSS_HOME>\standalone\configuration\standalone.xml

<security-domain name="Sales">
<authentication>
<login-module code="com.ibm.security.websso.TAMLoginModule" flag="required">
<module-option name="pdconfig" value="file:///<JBOSS_HOME>/standalone/configuration/jboss-sso-sales.properties"/>
<module-option name="idType" value="iv-creds"/>
<module-option name="loginID" value="jboss-sso-sales"/>
<module-option name="buildRolesFrom" value="PDPrincipal"/>
<module-option name="reqHdrList" value="iv-user"/>
</login-module>
</authentication>
</security-domain>

*jboss-sso-sales = user id created on the ISAM domain called "sales"


<security-domain name="Marketing">
<authentication>
<login-module code="com.ibm.security.websso.TAMLoginModule" flag="required">
<module-option name="pdconfig" value="file:///<JBOSS_HOME>/standalone/configuration/jboss-sso-marketing.properties"/>
<module-option name="idType" value="iv-creds"/>
<module-option name="loginID" value="jboss-sso-marketing"/>
<module-option name="buildRolesFrom" value="PDPrincipal"/>
<module-option name="reqHdrList" value="iv-user"/>
</login-module>
</authentication>
</security-domain>

*jboss-sso-marketing = user id created on the ISAM domain called "marketing"

4) On the application's jboss-web.xml file refer to correct domain:

Examples:
Application 1:

<jboss-web>
...
<security-domain>Sales</security-domain>
...
</jboss-web>


Application 2:

<jboss-web>
...
<security-domain>Marketing</security-domain>
...
</jboss-web>


Notice that individual webseal and authorization server instances are needed for each ISAM domain. Domain name is required during the configuration of a webseal / an authorization server instance and the domain name value is saved to the ssl-local-domain entry in the [ssl] stanza. Value of the ssl-local-domain entry would be "sales" on the first case and "marketing" on the second case to match examples provided above.

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

Tivoli Access Manager for e-business
IBM Security Access Manager for Web

Document Information

More support for:
Tivoli Access Manager for e-business

Software version:
Version Independent

Document number:
523177

Modified date:
16 June 2018

UID

swg21693796

Manage My Notification Subscriptions

Page Feedback