About this task
To configure TAM to process an authorization request from
TFIM, complete the following steps. The examples relate to the TAM
Version 6.01 pdadmin utility:
- Check that the action group used by
the TFIM authorization module is available. The action
group used is WebService:
action group list
If WebService is
not listed, create it:
action group create WebService
- Display the action in the action group
used by the TFIM authorization module. The action used
is "i":
action list WebService
If action "i" <label>
0 is not listed, create it. The value of <label> can
vary:
action create i <label> 0 WebService
- Create the Access Control List (ACL) that will be used
to grant access to one or more message flows. First, create
the ACL and give the administrators access to it. In this example, iv-admin is
the administration group and sec_master is the main
administrator:
acl create <AclName>
acl modify <AclName> set Group iv-admin TcmdbsvaBRxl[WebService]i
acl modify <AclName> set User sec_master TcmdbsvaBRxl[WebService]i
- Grant access to all authenticated users, or specific groups,
by adding them to the ACL. Grant any authenticated identity access:
acl modify <AclName> set Any-other Trx[WebService]i
To
add a specific group:
acl modify <AclName> set group <GroupName> Trx[WebService]i
- Define protected object spaces in TAM for authorization
of message flows:
- Create the application container object as
the root of the protected object space. This is the name
that is used to link an instance of a TFIM AuthorizationSTSModule
(within a module chain) into the TAM object space. The container object
name is specified to match the Web Service protected object
name parameter on a TFIM Authorization module.
objectspace create /<ContainerObjectName> <Description> 14
- Create the container objects in the tree for each integration
node message flow that is being authorized. The message
flow name is used by TFIM to locate a point in the TAM Object Space
tree for Authorization, through the attached ACL. The message flow
name is passed as the PortType in the WS-Trust
request to TFIM. Use the following command to create the object tree
node representing each flow to be authorized:
object create /<ContainerObjectName>/<FlowName> <Description> 11 ispolicyattachable yes
The ispolicyattachable parameter
applies to all levels, so you can attach an ACL at any level.
- Create the leaf object that represents the authorized
object to grant access to the message flow. This is the
fixed string MessageFlowAccess, which the integration
node sends to TFIM through the TFIM OperationName extension
to the WS-Trust request. A fixed name (MessageFlowAccess) is used
instead of a true operation name, because the integration node does
not necessarily know at the input node which operation a flow is going
to perform. The command syntax is:
object create /<ContainerObjectName>/<FlowName>/MessageFlowAccess <Description> 12 ispolicyattachable yes
where <FlowName> has
been created in a previous step.
- Attach the ACL to the relevant node in the protected object
space tree. Each node in the object space inherits ACLs
from its parent, and a lower level ACL can override a higher level
one. Use the following command syntax to attach an ACL to a node in
the object space:
acl attach /<ObjectSpacePath> <AclName>
To
attach an ACL to the leaf node:
acl attach /<ContainerObjectName>/<FlowName>/MessageFlowAccess <AclName>
What to do next
For further information about configuring TAM, see
IBM® Security Systems product documentation online.