Resource Configuration Notes

This section provides instructions for configuring Access Manager resources, including:

• General instructions for setting up the IBM Tivoli Access Manager resource for use with Identity Manager

• Instructions for using Access Manager as the Web Access Control for Identity Manager

General Configuration

Follow these steps when setting up the IBM Tivoli Access Manager resource for use with Identity Manager:

Setting Up Tivoli Access Manager

1. Install the IBM Tivoli Access Manager Java Runtime Component on the Identity Manager server.

2. Set your PATH variable to include the path to the JVM for your application server.

3. Run the pdjrtecfg -action config command to install the following Access Manager .jar files to the JRE’s lib/ext directory:

   • ibmjceprovider.jar

     • ibmjsse.jar

     • ibmpkcs.jar

     • jaas.jar

     • local_policy.jar

     • PD.jar

     • US_export_policy.jar

     • ibmjcefw.jar

       For more information, see the IBM Tivoli Access Manager Base Installation Guide.

4. Remove the following jar files from the InstallDir\idm\WEB-INF\lib directory (depending on your application server, these files may have been removed during the Identity Manager product installation):

   • jsse.jar

     • jcert.jar

     • jnet.jar

     • cryptix-jce-api.jar

     • cryptix-jce-provider.jar

5. Add the following lines to the java.security file, if they do not already exist:

   security.provider.2=com.ibm.crypto.provider.IBMJCEsecurity.provider.3= com.ibm.net.ssl.internal.ssl.Provider

   The number that follows security.provider in each line specifies the order in which Java consults security provider classes and should be unique. The sequence numbers may vary in your environment. If you already have multiple security providers in the java.security file, insert the new security providers in the order given above and renumber any existing security providers. Do not remove the existing security providers and do not duplicate any providers.

6. Add the VM parameter to the application server:

   -Djava.protocol.handler.pkgs=com.ibm.net.ssl.internal.www.protocol

   If necessary, you can add multiple packages by delimiting with a | (pipe symbol). For example:

   -Djava.protocol.handler.pkgs=sun.net.www.protocol| \ com.ibm.net.ssl. internal.www.protocol

7. Make sure the IBM Tivoli Access Manager Authorization Server is configured and running.

8. Run theSvrSslCfg command:

   For example:

   java com.tivoli.pd.jcfg.SvrSslCfg -action config \ -admin_id sec_master -admin_pwd secpw \ -appsvr_id PDPermissionjapp -host amazn.myco.com \ -mod local -port 999 -policysvr ampolicy.myco.com:7135:1 \ -authzsvr amazn.myco.com:7136:1 -cfg_file c:/am/configfile \ -key_file c:/am/keystore -cfg_action create

   The am directory must already exist. Successful completion creates these files in the c:\am directory:

   • configfile

     • keystore

       For more information, see IBM Tivoli Access Manager Authorization Java Classes Developer’s Reference and IBM Tivoli Access Manager Administration Java Classes Developer’s Reference.

Setting Up Web Access Control

The following procedure describes the general configuration steps to use Tivoli Access Manager as the Web Access Control for Identity Manager. Some of the following steps require detailed knowledge of the Tivoli Access Manager software.

General Steps for Configuring Tivoli Access Manager as Web Access Control

1. Install and configure IBM Tivoli Access Manager Java Runtime Component on the Identity Manager server.

2. Configure the JDK Security Settings on the Identity Manager server.

3. Create the Access Manager SSL Config files on the Identity Manager server.

4. Create a Junction in Access Manager for the Identity Manager URLs. Refer to the Tivoli Access Manager product documentation for more details.

   The following example pdadmin command illustrates how to create a junction:

   pdadmin server task WebSealServer create -t Connection / -p Port -h Server -c ListOfCredentials -r -i JunctionName

5. Configure the Identity Manager Base HREF property for the WebSeal Proxy Server.

6. Set up the Access Manager resource adapter.

7. Load the Access Manager users into Identity Manager.

8. Configure pass-through authentication for Access Manager in Identity Manager.

   When a user attempts to access the Identity Manager URLs through Access Manager, the user’s identity is passed in the HTTP header to Identity Manager. Identity Manager then uses that identity to verify the user exists in Access Manager and in Identity Manager. If the user is trying to access the Identity Manager Administrator interface, Identity Manager checks the Identity Manager Security configuration for the user to make sure they have Identity Manager administrative rights. End users are also verified against Access Manager, and whether they have a Identity Manager account.