Why and when to perform this task
To create a new application login that uses the Tivoli Access Manager GSO database to store the login credentials:Steps for this task
Module class name: com.tivoli.pd.as.gso.AMPrincipalMapper
Use Login Module Proxy: enable
Authentication strategy: REQUIRED
The Tivoli Access Manager principal mapping module uses the configuration string, authDataAlias, to retrieve the correct user name and password from the security configuration.
Which scenario to use is determined by a JAAS configuration option. The details of these options are:
Name: com.tivoli.pd.as.gso.AliasContainsUserName
Value: True if the alias contains the user name, false if the user name should be retrieved from the security context.
When entering authDataAliases through the WebSphere Application Server console, the node name is automatically pre-pended to the alias. The JAAS configuration entry is to determine whether this node name should be removed or included as part of the resource name.
Name: com.tivoli.pd.as.gso.AliasContainsNodeName
Value: True if the alias contains the node name.
Enter each new parameter using the following scenario information as a guide.
Name = com.tivoli.pd.as.gso.AMCfgURL
Value = file:///path to PdPerm.properties
Scenario 1
Auth Data Alias - BackendEIS/eisUser
Resource - BackEndEIS
User - eisUser
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | true |
com.tivoli.pd.as.gso.AliasContainsNodeName | false |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
Scenario 2
Auth Data Alias - BackendEIS
Resource - BackEndEIS
User - Currently authenticated WAS user
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | false |
com.tivoli.pd.as.gso.AliasContainsNodeName | false |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
Scenario 3
Auth Data Alias - nodename/BackendEIS/eisUser
Resource - BackEndEIS
User - eisUser
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | true |
com.tivoli.pd.as.gso.AliasContainsNodeName | true |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
Scenario 4
Auth Data Alias - nodename/BackendEIS/eisUser
Resource - nodename/BackEndEIS (notice that node name was not removed)
User - eisUser
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | true |
com.tivoli.pd.as.gso.AliasContainsNodeName | false |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
Scenario 5
Auth Data Alias - BackendEIS/eisUser
Resource - BackEndEIS
User - eisUser
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | false |
com.tivoli.pd.as.gso.AliasContainsNodeName | true |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
Scenario 6
Auth Data Alias - nodename/BackendEIS/eisUser
Resource - nodename/BackendEIS/eisUser (notice that the Resource is the same as Auth Data Alias).
User - Currently authenticated WAS user
Principal Mapping Parameters
Name | Value |
delegate | com.tivoli.pdwas.gso.AMPrincipalMapper |
com.tivoli.pd.as.gso.AliasContainsUserName | false |
com.tivoli.pd.as.gso.AliasContainsNodeName | false |
com.tivoli.pd.as.gso.AMLoggingURL | file:///jlog_props_path |
debug | false |
You now need to create the J2C authentication aliases. The user name and password assigned to these alias entries is irrelevant as Tivoli Access Manager is responsible for providing user names and passwords. However, the user name and password assigned to the J2C authentication aliases need to exist so they can be selected for the J2C connection factory in the console.
To create the J2C authentication aliases, from the WebSphere Application Server administrative console, click Security >Global security. Under JAAS Configuration > J2C Authentication Data and click New for each entry. Refer to the table above for scenario inputs.
Related concepts
Global signon principal mapping