WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Configuring a JACC provider

Before you begin

The Java Authorization Contract for Containers (JACC) defines a contract between Java 2 Platform, Enterprise Edition (J2EE) containers and authorization providers. It enables any third party authorization providers to plug into a J2EE 1.4 application server such as the WebSphere Application Server to make the authorization decisions when a J2EE resource is accessed. The JACC provider can be implemented using the Tivoli Access Manager.

Read the following articles for more detailed information about JACC before you attempt to configure the WebSphere Application Server to use a JACC provider:

Steps for this task

  1. Start the WebSphere Application Server administrative console by clicking http://yourhost.domain:9060/ibm/console after starting the WebSphere Application Server. If security is currently disabled, log in with any user ID. If security is currently enabled, log in with a predefined administrative ID and password (this is typically the server user ID specified when you configured the user registry).
  2. Click Security > Global Security from the left navigation menu.
  3. Under Authorization, click Authorization Providers.
  4. Under General Properties, click External JACC provider.
  5. Under Additional Properties, click Tivoli Access Manager properties.
  6. Enter the following information:
    Enable embedded Tivoli Access Manager
    Select this option to enable the Tivoli Access Manager.
    Ignore errors during embedded Tivoli Access Manager disablement
    Select this option when you want to unconfigure the JACC provider. Do not select this option during configuration.
    Client listening point set
    WebSphere Application Server must listen using a TCP/IP port for authorization database updates from the policy server. More than one process can run on a particular node or machine

    Enter the listening ports used by Tivoli Access Manager clients, separated by a comma. If a range of ports is specified, separate the lower and higher values by a colon (for example, 7999, 9990:999).

    Policy server
    Enter the name of the Tivoli Access Manager policy server and the connection port. Use the form policy_server:port. The policy communication port is set at the time of the Tivoli Access Manager configuration, and the default is 7135.
    Authorization servers
    Enter the name of the Tivoli Access Manager authorization server. Use the form auth_server:port:priority. The authorization server communication port is set at the time of the Tivoli Access Manager configuration, and the default is 7136.

    More than one authorization server can be specified by separating the entries with commas. Specifying more than one authorization server at a time is useful for reasons of failover and performance.

    The priority value is determined by the order of the authorization server use (for example, auth_server1:7136:1, and auth_server2:7137:2). A priority value of 1 is required when configuring against a single authorization server.

    Administrator user name
    Enter the Tivoli Access Manager administrator user name that was created when Tivoli Access Manager was configured (it is usually sec_master).
    Administrator user password
    Enter the Tivoli Access Manager administrator password.
    User registry distinguished name suffix
    Enter the distinguished name suffix for the user registry that is shared between Tivoli Access Manager and WebSphere (for example, o=ibm, c=us).
    Security domain
    You can create more than one security domain in Tivoli Access Manager, each with its own administrative user. Users, groups and other objects are created within a specific domain, and are not permitted to access resource in another domain.

    Enter the name of the Tivoli Access Manager security domain that is used to store WebSphere Application Server users and groups.

    If a security domain has not been established at the time of the Tivoli Access Manager configuration, leave the value as Default.

    Administrator user distinguished name
    Enter the full distinguished name of the WebSphere security administrator ID (for example, cn=wasdmin, o=organization, c=country). The ID name must match the Server user ID on the LDAP User Registry panel in the administrative console. To access the LDAP User Registry panel, click Security > Global Security. Under User registries, click LDAP.

What to do next

After you have configured a JACC provider, you must enable it in the WebSphere Application Server administrative console. See Enabling an external JACC provider for more information.



Related concepts
Tivoli Access Manager integration as the JACC provider
Authorization in WebSphere Application Server
JACC providers
JACC support in WebSphere Application Server

Related tasks
Enabling an external JACC provider

Related reference
Interfaces used to support JACC
Troubleshooting authorization providers
External Java Authorization Contract for Containers provider settings

Task topic    

Terms of Use | Feedback

Last updated: Mar 17, 2005 4:28:29 AM CST
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_configauthzprov.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)