This section provides instructions for configuring Access Manager resources, including:
General instructions for setting up the IBM Tivoli Access Manager resource for use with Waveset
Instructions for using Access Manager as the Web Access Control for Waveset
Follow these steps when setting up the IBM Tivoli Access Manager resource for use with Waveset:
Install the IBM Tivoli Access Manager Java Runtime Component on the Waveset server.
Set your PATH variable to include the path to the JVM for your application server.
Run the pdjrtecfg -action config command to install the following Access Manager .jar files to the JRE’s lib/ext directory:
Remove the following jar files from the InstallDir\idm\WEB-INF\lib directory (depending on your application server, these files may have been removed during the Waveset product installation):
Add the following lines to the java.security file, if they do not already exist:
security.provider.2=com.ibm.crypto.provider.IBMJCEsecurity.provider.3= com.ibm.net.ssl.internal.ssl.Provider |
The number that follows security.provider in each line specifies the order in which Java consults security provider classes and should be unique. The sequence numbers may vary in your environment. If you already have multiple security providers in the java.security file, insert the new security providers in the order given above and renumber any existing security providers. Do not remove the existing security providers and do not duplicate any providers.
Add the VM parameter to the application server:
-Djava.protocol.handler.pkgs=com.ibm.net.ssl.internal.www.protocol |
If necessary, you can add multiple packages by delimiting with a | (pipe symbol). For example:
-Djava.protocol.handler.pkgs=sun.net.www.protocol| \ com.ibm.net.ssl. internal.www.protocol |
Make sure the IBM Tivoli Access Manager Authorization Server is configured and running.
Run theSvrSslCfg command:
For example:
java com.tivoli.pd.jcfg.SvrSslCfg -action config \ -admin_id sec_master -admin_pwd secpw \ -appsvr_id PDPermissionjapp -host amazn.myco.com \ -mod local -port 999 -policysvr ampolicy.myco.com:7135:1 \ -authzsvr amazn.myco.com:7136:1 -cfg_file c:/am/configfile \ -key_file c:/am/keystore -cfg_action create |
The am directory must already exist. Successful completion creates these files in the c:\am directory:
The following procedure describes the general configuration steps to use Tivoli Access Manager as the Web Access Control for Waveset. Some of the following steps require detailed knowledge of the Tivoli Access Manager software.
Install and configure IBM Tivoli Access Manager Java Runtime Component on the Waveset server.
Configure the JDK Security Settings on the Waveset server.
Create the Access Manager SSL Config files on the Waveset server.
Create a Junction in Access Manager for the Waveset URLs. Refer to the Tivoli Access Manager product documentation for more details.
The following example pdadmin command illustrates how to create a junction:
pdadmin server task WebSealServer create -t Connection / -p Port -h Server -c ListOfCredentials -r -i JunctionName |
Configure the Waveset Base HREF property for the WebSeal Proxy Server.
Set up the Access Manager resource adapter.
Load the Access Manager users into Waveset.
Configure pass-through authentication for Access Manager in Waveset.
When a user attempts to access the Waveset URLs through Access Manager, the user’s identity is passed in the HTTP header to Waveset. Waveset then uses that identity to verify the user exists in Access Manager and in Waveset. If the user is trying to access the Waveset Administrator interface, Waveset checks the Waveset Security configuration for the user to make sure they have Waveset administrative rights. End users are also verified against Access Manager, and whether they have a Waveset account.
If you are installing IBM Tivoli Access Manager with a WebSphere application server, do not copy the jsse.jar, jcert.jar, and jnet.jar files during Waveset installation to the WEB-INF\lib directory; otherwise, a conflict results.
The Access Manager resource adapter is a custom adapter. You must perform the following steps to complete the installation process:
Copy the pd.jar file from the Access Manager installation media to the $WSHOME/WEB-INF/lib directory.
Add the following value in the Custom Resources section of the Configure Managed Resources page:
com.waveset.adapter.AccessManagerResourceAdapter |
This section lists dependencies and limitations related to using the Access Manager resource adapter.
If you want to use the Waveset single sign-on or pass-through authentication features with this resource, you must use Access Manager as the Waveset proxy server. For more information on proxy servers, see Identity Manager Deployment GuideOracle Waveset 8.1.1 Deployment Guide.
When assigning additional resources to an existing Service Provider user account, the administrator must manually retype the user's password before saving the requested changes.
To configure GSO Web Resource or GSO Resource Group credentials from the Waveset Create User page, perform the following steps:
Select Add GSO Web Credentials or GSO Resource Group Credentials.
Select a target from the appropriate GSO credential drop-down menu.
Enter a resource user ID and password in the text fields.
You may edit the resource credential user ID and/or password by editing the appropriate field. For security reasons, the credential password is never retrieved.
To delete a credential, select it from the table and then click the corresponding Remove button.
This section provides information about supported connections and privilege requirements.
Waveset uses JNDI over SSL to communicate with Access Manager.
The administrative user must have sufficient privileges to create, update, and delete users, groups, Web resources, and resource groups.
The following table summarizes the provisioning capabilities of this adapter.
Feature |
Supported? |
---|---|
Enable/disable account |
Yes |
Rename account |
No |
Pass-through authentication |
Yes |
Before/after actions |
No |
Data Loading Methods |
Import directly from resource Reconciliation |
Attribute |
Date Type |
Description |
---|---|---|
firstname |
String |
Required. The user’s first name. |
lastname |
String |
Required. The user’s last name. |
registryUID |
String |
Required. The account name stored in the user registry. |
description |
String |
Text describing the user. |
groups |
String |
The Access Manager groups that the user is a member of. |
noPwdPolicy |
Boolean |
Indicates whether a password policy is enforced. |
ssoUser |
Boolean |
Indicates whether the user has single sign-on abilities. |
expirePassword |
Boolean |
Indicates whether the password will be expired. |
importFromRgy |
Boolean |
Indicates whether to import group data from the user registry. |
deleteFromRgy |
Boolean |
Indicates whether the user should be deleted. |
syncGSOCreds |
Boolean |
Indicates whether to synchronize GSO passwords to the Access Manager password. |
gsoWebCreds |
String |
A list of Web resource credentials the user has access to. |
gsoGroupCreds |
String |
A list of resource group credentials the user has access to. |
Waveset supports the following objects:
Resource Object |
Features Supported |
Attributes Managed |
---|---|---|
Group |
Create, find, delete, update |
name, description, registry name, member |
The account name syntax is:
$accountId$
Waveset provides the AccessManagerUserForm.xml sample form.
Use the Waveset debug pages to set trace options on the following class:
com.waveset.adapter.AccessManagerResourceAdapter