IBM BS029ML Self Help Guide - Page 115

Con s the WebSEAL TAI in WebSphere Application Server and enables it.

Page 115 highlights

client certificate permits portal server to use TAM authentication services. The default expiration date of this client certificate is 365 days. Important: If the TAM runtime is not configured before, run-svrssl-config should be run first to set up the environment. Important: Update the client certificate before it expires. Otherwise, it may bring the entire site down. The portal configuration tasks cannot be used to reconfigure the client certificate. You have to run the following commands from the PDadmin command line: # unconfig java.com.tivoli.pd.jcfg.SvrSslCfg -action unconfig \ -admin_id sec_master -admin_pwd \ -appsvr_id \ -policysvr policyserver.acme.com:7135:1 \ -cfg_file /jre/PdPerm.properties and # config java.com.tivoli.pd.jcfg.SvrSslCfg -action config \ -admin_id sec_master -admin_pwd \ -appsvr_id -port 7223 \ -policysvr policyserver.acme.com:7135:1 \ -authzsvr authzserver.acme.com:7136:1 \ -cfg_file /jre/PdPerm.properties \ -key_file /jre/pdperm.ks \ -cfg_action replace where is the server host name you used to run SvrSslCfg to register with the TAM Policy Server, is where Java is installed under WebSphere Application Server, and "authzserver" is the TAM Authorization server. It is crucial to make sure the entries you entered into wpconfig.properties are correct. The configuration tasks in WebSphere Portal take the values of the parameters in the file to assemble and issue PDadmin commands based on the parameters to create the corresponding TAM components. enable-tam-tai: This task does three things: - Takes the parameters in wpconfig.properties and creates the WebSEAL TAI junction. - Configures the WebSEAL TAI in WebSphere Application Server and enables it. - Updates "WP ConfigService" to add timeout.resume.session and set it to true. enable-tam-authorization: This task consists of the following sub-tasks: - Creates the TAM JAAS Login Modules WSLoginModule and PDLoginModule. - Creates the property file "callbackheaderslist.properties" with iv-user and iv-creds. - Updates "WP ExternalAccessControlService" to set up properties for WebSphere Portal to communicate with the TAM Policy Server. - Updates "WP AccessControlDataManagementService" to set the external cache timeout to 300 and whether the roles are reordered for easier reading. - Updates "WP AccessControlService" to enable Externalization. Chapter 4. WebSphere Portal security 101

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242

Chapter 4. WebSphere Portal security
101
client certificate permits portal server to use TAM authentication services. The default
expiration date of this client certificate is 365 days.
The portal configuration tasks cannot be used to reconfigure the client certificate. You have to
run the following commands from the PDadmin command line:
# unconfig
java.com.tivoli.pd.jcfg.SvrSslCfg -action unconfig
\
-admin_id sec_master -admin_pwd <password>
\
-appsvr_id <pdservername> \
-policysvr policyserver.acme.com:7135:1
\
-cfg_file <java_home>/jre/PdPerm.properties
and
#
config
java.com.tivoli.pd.jcfg.SvrSslCfg -action config
\
-admin_id sec_master -admin_pwd <password>
\
-appsvr_id <pdservername> -port 7223
\
-policysvr policyserver.acme.com:7135:1
\
-authzsvr authzserver.acme.com:7136:1
\
-cfg_file <java_home>/jre/PdPerm.properties
\
-key_file <java_home>/jre/pdperm.ks
\
-cfg_action replace
where <pdservername> is the server host name you used to run SvrSslCfg to register with
the TAM Policy Server, <java_home> is where Java is installed under WebSphere Application
Server, and “authzserver” is the TAM Authorization server.
It is crucial to make sure the entries you entered into wpconfig.properties are correct. The
configuration tasks in WebSphere Portal take the values of the parameters in the file to
assemble and issue PDadmin commands based on the parameters to create the
corresponding TAM components.
±
enable-tam-tai: This task does three things:
Takes the parameters in wpconfig.properties and creates the WebSEAL TAI junction.
Configures the WebSEAL TAI in WebSphere Application Server and enables it.
Updates “WP ConfigService” to add timeout.resume.session and set it to true.
±
enable-tam-authorization: This task consists of the following sub-tasks:
Creates the TAM JAAS Login Modules WSLoginModule and PDLoginModule.
Creates the property file “callbackheaderslist.properties” with iv-user and iv-creds.
Updates “WP ExternalAccessControlService” to set up properties for WebSphere
Portal to communicate with the TAM Policy Server.
Updates “WP AccessControlDataManagementService” to set the external cache
timeout to 300 and whether the roles are reordered for easier reading.
Updates “WP AccessControlService” to enable Externalization.
Important:
If the TAM runtime is not configured before, run-svrssl-config should be run first
to set up the environment.
Important:
Update the client certificate before it expires. Otherwise, it may bring the entire
site down.