Sun Java logo     Previous      Contents      Next     

Sun logo
Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 

Access Manager

The Tivoli Access Manager resource adapter is defined in the com.waveset.adapter.AccessManagerResourceAdapter class.

This resource adapter supports the following versions of Access Manager:

Resource Configuration Notes

This section provides instructions for configuring Access Manager resources; including:

General Configuration

Follow these steps when setting up the IBM Tivoli Access Manager resource for use with Identity Manager:

  1. Install the IBM Tivoli Access Manager Java Runtime Component on the Identity Manager server.
  2. Set your PATH variable to include the path to the JVM for your application server. For example,
    • If you have a WebLogic 7.x install on a UNIX server, set your path to:

      • PATH=$WLHOME/bea/jdk131_04/bin:$WLHOME/bea/jdk131_04/jre/
      bin:$PATH

    • If you have a Websphere 4.x install on a Windows 2000 server, set your path to:

      • set PATH=%WebSphere%\AppServer\java\bin;%WebSphere%\
      AppServer\java\jre\bin;%PATH%

  3. Run the pdjrtecfg -action config command to install the following Access Manager .jar files to the JRE’s lib/ext directory:
    • ibmjceprovider.jar
    • ibmjsse.jar
    • ibmpkcs.jar
    • jaas.jar
    • local_policy.jar
    • PD.jar
    • US_export_policy.jar
    • ibmjcefw.jar

      • Note  For more information, see the IBM Tivoli Access Manager Base Installation Guide.

  4. Remove the following jar files from the InstallDir\idm\WEB-INF\lib directory (depending on your application server, these files may have been removed during the Identity Manager product installation):
    • jsse.jar
    • jcert.jar
    • jnet.jar
    • cryptix-jce-api.jar
    • cryptix-jce-provider.jar
  5. Modify the java.security file:

    6. security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.net.ssl.internal.ssl.Provider

  6. Add the VM parameter to the application server:

    7. -Djava.protocol.handler.pkgs= \
      com.ibm.net.ssl.internal.www.protocol

    Note  If necessary, you can add multiple packages by delimiting with a | (pipe symbol). For example:

    -Djava.protocol.handler.pkgs=sun.net.www.protocol| \
      com.ibm.net.ssl.internal.www.protocol

  7. Make sure the IBM Tivoli Access Manager Authorization Server is configured and running.
  8. Run the command:

    9. SvrSslCfg

    For example:

    java com.tivoli.pd.jcfg.SvrSslCfg -action config \
    -admin_id sec_master -admin_pwd secpw \
    -appsvr_id PDPermissionjapp -host amazn.myco.com \
    -mod local -port 999 -policysvr ampolicy.myco.com:7135:1 \
    -authzsvr amazn.myco.com:7136:1 -cfg_file c:/am/configfile \
    -key_file c:/am/keystore -cfg_action create

    The "am" directory must already exist. Successful completion creates these files in the c:\am directory:

    • configfile
    • keystore

      • Note  For more information, see IBM Tivoli Access Manager Authorization Java Classes Developer’s Reference and IBM Tivoli Access Manager Administration Java Classes Developer’s Reference.

Setting up Web Access Control

The following procedure describes the general configuration steps to use Tivoli Access Manager as the Web Access Control for Identity Manager. Some of the following steps require detailed knowledge of the Tivoli Access Manager software.

  1. Install and configure IBM Tivoli Access Manager Java Runtime Component on the Identity Manager server.
  2. Configure the JDK Security Settings on the Identity Manager server.
  3. Create the Access Manager SSL Config files on the Identity Manager server.
  4. Create a Junction in Access Manager for the Identity Manager URLs. Refer to the Tivoli Access Manager product documentation for more details.

    5. The following example pdadmin command illustrates how to create a junction:

    pdadmin server task WebSealServer create -t Connection /
    -p     Port -h Server -c ListOfCredentials -r /
    -i     JunctionName

  5. Configure the Identity Manager Base HREF property for the WebSeal Proxy Server.
  6. Setup the Access Manager resource adapter.
  7. Load the Access Manager users into Identity Manager.
  8. Configure Pass-Through Authentication for Access Manager in Identity Manager.

When a user attempts to access the Identity Manager URLs via Access Manager, the user's identity is passed in the HTTP header to Identity Manager. Identity Manager then uses that identity to verify the user exists in Access Manager and in Identity Manager. If the user is trying to access the Identity Manager Administrator interface, Identity Manager checks the Identity Manager Security configuration for the user to make sure they have Identity Manager administrative rights. End users are also verified against Access Manager, and whether they have a Identity Manager account.

Identity Manager Installation Notes

Note  If you are installing IBM Tivoli Access Manager with a WebSphere application server, do not copy the jsse.jar, jcert.jar, and jnet.jar files during Identity Manager installation to the WEB-INF\lib directory; otherwise, a conflict results.

The Access Manager resource adapter is a custom adapter. You must perform the following steps to complete the installation process:

  1. Copy the pd.jar file from the Access Manager installation media to the $WSHOME/WEBINF/lib directory.
  2. Add the following value in the Custom Resources section of the Configure Managed Resources page:

    3. com.waveset.adapter.AccessManagerResourceAdapter

Usage Notes

This section lists dependencies and limitations related to using the Access Manager resource adapter.

Notes:

Creating GSO Credentials

To configure GSO Web Resource or GSO Resource Group credentials from the Identity Manager Create User page, perform the following steps:

  1. Select Add GSO Web Credentials or GSO Resource Group Credentials.
  2. Select a target from the appropriate GSO credential drop-down menu.
  3. Enter a resource user ID and password in the text fields.
  4. You may edit the resource credential user ID and/or password by editing the appropriate field. For security reasons, the credential password is never retrieved.

Deleting GSO Credentials

To delete a credential, select it from the table and then click the corresponding Remove button.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses JNDI over SSL to communicate with Access Manager.

Required Administrative Privileges

The administrative user must have sufficient privileges to create, update, and delete users, groups, web resources, and resource groups.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature

Supported?

Enable/disable account

Yes

Rename account

No

Pass-through authentication

Yes

Before/after actions

No

Data loading methods

  Import directly from resource

  Reconciliation

Account Attributes

The following table provides information about Access Manager account attributes.

Attribute

Data Type

Description

firstname

string

Required. The user’s first name.

lastname

string

Required. The user’s last name.

registryUID

string

Required. The account name stored in the user registry.

description

string

Text describing the user.

groups

string

The Access Manager groups that the user is a member of.

noPwdPolicy

boolean

Indicates whether a password policy is enforced.

ssoUser

boolean

Indicates whether the user has single sign-on abilities.

expirePassword

boolean

Indicates whether the password will be expired.

importFromRgy

boolean

Indicates whether to import group data from the user registry.

deleteFromRgy

boolean

Indicates whether the user should be deleted.

syncGSOCreds

boolean

Indicates whether to synchronize GSO passwords to the Access Manager password.

gsoWebCreds

string

A list of web resource credentials the user has access to.

gsoGroupCreds

string

A list of resource group credentials the user has access to.

Resource Object Management

Identity Manager supports the following objects:

Resource Object

Features Supported

Attributes Managed

Group

Create, find, update, delete

name, description, registry name, member

Identity Template

The account name syntax is:

$accountId$

Sample Forms

Identity Manager provides the AccessManagerUserForm.xml sample form.

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following class:

com.waveset.adapter.AccessManagerResourceAdapter



Previous      Contents      Next     

Copyright 2006 Sun Microsystems, Inc. All rights reserved.