-p 80 /poc2portal
Create a trusted SSO user
The Extended Trust Association Interceptor requires a user to exist in the user registry that will be used to authenticate trust. This user and their password will become the central part of establishing trust between WebSEAL and WebSphere Application Server. The value of the custom property com.ibm.websphere.security.webseal.loginId will be set to this user, and the dummy password in WebSEAL will be set to this user's password.
Syntax-
user create sso cn=sso,o=ibm,c=au sso sso ssopwd
user modify ssouser account-valid yes
If the custom property com.ibm.websphere.security.webseal.useWebSphereUserRegistry is set to true, this user must be created in the WebSphere Application Server user registry. (See the WebSphere Application Server Info Center for details.)
Set the dummy password
WebSEAL provides a mechanism for predetermining the password that's passed in the basic authentication header of the HTTP request. Set the dummy password in the WebSEAL instance configuration file using the –b supply parameter described inRequired junction parameters. The configuration file to update, webseald-instancename.conf, is in your webseal_home/etc directory.
- Browse to /opt/pdweb/etc and open the file webseald-default.conf, search for basicauth-dummy-passwd, and change the value of this property to the password of the trusted SSO user. Save the file and restart your WebSEAL instance so the new property value will take effect.
- Create an ACL:
Syntax-
acl create adminACL
acl modify adminACL set group SecurityGroup Tr
- Attach ACL:
Syntax-
acl attach /WebSEAL/-default/poc2portal/wps/portal adminACL
Enabling Global Security
- Log in to WebSphere Portal Server Console using the administrator id.
- Expand Security and select Global Security as shown in figure 9.
Figure 9

Click on “Security Configuration Wizard” as shown in figure 10.
Figure 10

- Select enable application security and click Next as shown in figure 11.
Figure 11

- Select Standalone registry and click Next as shown in figure 12.
Figure 12

- Fill in the below details and Click Next as shown in Figure 13.
Figure 13

- Where is the user id with admin access in the user registry to which you are connecting.
- Click finish.
Figure 14

- Click Save to apply changes to the master configuration and restart the WebSphere Application Server as shown in figure 15.
Figure 15

Updating properties files
wkplc.properties
This property file needs to be updated for WebSphere Application Server, WebSphere Portal Server and LDAP related information required by the scripts mentioned in the next section.
Here are the properties updated:
EngineInstallLocation=<path to ConfigEngine directory>
WasSoapPort=<SOAP port>
WasRemoteHostName=<fully qualified host name>
VirtualHostName=default_host
WasUserid=cn=userId,dc=xyz,dc=com
WasPassword=<password>
WasHome=/usr/IBM/WebSphere/AppServer <AppServer directory path>
WasUserHome=/usr/IBM/WebSphere/wp_profile <wps profile path>
ProfileName=wp_profile <profile_name>
CellName=<cell name>
NodeName=<node name>
ServerName=WebSphere_Portal
WasAdminServer=server1
wasJvmBitType=x64 (specific to AIX 64)
WpsInstallLocation=/usr/IBM/WebSphere/PortalServer <wps installation path>
WpsHostName=<fully qualified host name>
WpsHostPort=
PortalAdminId=cn=userId,dc=xyz,dc=com
PortalAdminPwd=<password>
PortalAdminGroupId=cn=admingroup,dc=xyz,dc=com
standalone.ldap.id=ldapitds <create an id>
standalone.ldap.host=<ldap host name>
standalone.ldap.port=<ldap instance listening port>
standalone.ldap.bindDN=cn=root
standalone.ldap.bindPassword=<bind password>
standalone.ldap.ldapServerType=IDS <If registry is Tivoli Directory Server>
standalone.ldap.userIdMap=*:uid
standalone.ldap.groupIdMap=*:cn
standalone.ldap.groupMemberIdMap=ibm-allGroups:member;ibm-allGroups:uniqueMember
standalone.ldap.userFilter=(&(uid=%v)(objectclass=ePerson))
standalone.ldap.groupFilter=(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))
standalone.ldap.serverId=cn=userId,dc=xyz,dc=com
standalone.ldap.serverPassword=<password>
standalone.ldap.primaryAdminId=cn=userId,dc=xyz,dc=com
standalone.ldap.primaryAdminPassword=<password>
standalone.ldap.primaryPortalAdminId=cn=userId,dc=xyz,dc=com
standalone.ldap.primaryPortalAdminPassword=<password>
standalone.ldap.primaryPortalAdminGroup=cn=admingroup,dc=xyz,dc=com
standalone.ldap.baseDN=dc=xyz,dc=com
If you want to change the admin user need to specify these properties:
newAdminId=cn=userId,dc=xyz,dc=com
newAdminPw=<password>
newAdminGroupId=cn=admingroup,dc=xyz,dc=com
wkplc_comp.properties
This property file needs to be updated for Tivoli Access Manager (TAM) related information required by the scripts mentioned in the next section. The properties that need to be updated are as follows. For complete list of properties and there explanation refer to the attached property file:
wp.ac.impl.PDAdminId=<TAM admin user ID>
wp.ac.impl.PDAdminPwd=<TAM admin password>
wp.ac.impl.PDPermPath=${WasHome}/java/jre/PdPerm.properties
wp.ac.impl.PDClasspath=${WasHome}/java/jre/lib/ext/PD.jar
wp.ac.impl.PDHome=${WasHome}/java/jre/PolicyDirector
wp.ac.impl.JavaHome=${WasHome}/java/jre/
wp.ac.impl.CfgFilesPath=${WasHome}/java/jre
wp.ac.impl.TamHost=<fully qualified hostname of TAM>
wp.ac.impl.PDServerName=amwp70 (you can specify instance name you want to create as TAM server instance)
wp.ac.impl.SvrSslCfgPort=7223
wp.ac.impl.SvrSslCfgMode=remote
wp.ac.impl.PDPolicyServerList=<fully qualified hostname> :7135:1
wp.ac.impl.PDAuthzServerList= fully qualified hostname:7136:1
wp.ac.impl.PDKeyPath=${WasHome}/java/jre/lib/pdperm.ks
You can specify the below mentioned properties if you need the scripts to create the junction or you can create through command. Refer to Appendix Section C for the command details:
wp.ac.impl.JunctionType=tcp
wp.ac.impl.JunctionPoint=/wpsv70 <Junction with this name will be created>
wp.ac.impl.WebSealInstance=<web seal instance name>
wp.ac.impl.TAICreds=iv-user,iv-creds
wp.ac.impl.JunctionHost=< fully qualified hostname for junction>
wp.ac.impl.JunctionPort =80
Tivoli Access Manager: WebSphere Application Server WebSEAL TAI parameters. You can specify these parameters and the script will enable TAI and create these custom properties with the values specified. Script installs and configures TAI ++.
So if you want to use ETAI for trust association you can leave these parameters blank and refer to section 2.1. If you want to use TAI++ skip section 2.1 and enter the values to the parameters mentioned below and the script (enable-tam-all) will enable the trust association and will create all the parameters.
wp.ac.impl.loginId=<SSO user id>
wp.ac.impl.BaUserName=<admin id>
wp.ac.impl.BaPassword=<admin password>
wp.ac.impl.checkViaHeader=false
wp.ac.impl.viaDepth=0
wp.ac.impl.ssoPwdExpiry=600
wp.ac.impl.ignoreProxy=false
Tivoli Access Manager: Portal authorization parameters .The following information is used to authenticate with TAM:
wp.ac.impl.PDRoot=/WebSEAL
wp.ac.impl.PDCreateAcl=true
wp_security_ids.properties
These properties are used by wp-modify-ldap-security and wp-update-standalone-ldap scripts to change the registry from WebSphere Application user registry to LDAP Stand alone user registry.
standalone.ldap.id=ldapitds <this will create an id with the name you provide here>
standalone.ldap.host= <fully qualified ldap hostname>
standalone.ldap.port=<ldap instance port>
standalone.ldap.bindDN=cn=root
standalone.ldap.bindPassword=<password>
standalone.ldap.ldapServerType=IDS
standalone.ldap.userIdMap=*:uid
standalone.ldap.groupIdMap=*:cn
standalone.ldap.groupMemberIdMap=ibm-allGroups:member;ibm-allGroups:uniqueMember
standalone.ldap.userFilter=(&(uid=%v)(objectclass=ePerson))
standalone.ldap.groupFilter=(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))
standalone.ldap.serverId=cn=userId,dc=xyz,dc=com
standalone.ldap.serverPassword=<password>
standalone.ldap.primaryAdminId=cn=userId,dc=xyz,dc=com
standalone.ldap.primaryAdminPassword=<password>
standalone.ldap.primaryPortalAdminId=cn=userId,dc=xyz,dc=com
standalone.ldap.primaryPortalAdminPassword=<password>
standalone.ldap.primaryPortalAdminGroup=cn=admingroup,dc=xyz,dc=com
standalone.ldap.baseDN=dc=xyz,dc=com
standalone.ldap.personAccountRdnProperties=uid
standalone.ldap.groupRdnProperties=cn
Executing scripts
WebSphere Portal to TAM connection
Configuring and connecting WebSphere Portal Server is 3 step processes. These steps should be executed in the sequence, proceed to next step only after you get the ‘Build Successful” message in the command prompt after each step.
Step 1: Run the following task to create the AMJRTE properties file:
.
/ConfigEngine.sh run-svrssl-config -DWasUserid= <was admin userid> -DWasPassword=<admin password> -Dwp.ac.impl.PDAdminPwd=<Pdadmin password>
Note: If the configuration task fails, validate the values in the wkplc_comp.properties file.
After successful completion of the task following file will be created:
AppServer_root/java/jre/PolicyDirector/PdPerm.properties
Step 2: Run the following task to validate that the AMJRTE properties exists which was created in the previous step:
./ConfigEngine.sh validate-pdadmin-connection -DWasUserid= <was admin userid> -DWasPassword=<admin password> -Dwp.ac.impl.PDAdminPwd=<Pdadmin password>
Note: If the task does not run successfully. Run the run-svrssl-config task to create the properties file, and then run the validate-pdadmin-connection task again. If it fails again verify the values in wkplc.properties. The fact that the task does not run successfully indicates that your portal cannot connect to the Tivoli Access Manager server.
Step 3: Run the following validation task: This task will take 10 to 15 minutes for the completion and it will create all the junctions, ACL, TAI ++ custom properties:
./ConfigEngine.sh enable-tam-all -DWasUserid= <was admin userid> -DWasPassword=<admin password> -Dwp.ac.impl.PDAdminPwd=<Pdadmin password>
Note: If the task does not run successfully, ensure the values you specified in wkplc_comp.properties are valid.
WebSphere Portal to LDAP connection
WebSphere Portal is configured with the default federated repository with a built-in file repository. Therefore, you must run the wp-modify-ldap-security task to switch to a standalone LDAP user registry.
Run the following task:
./ConfigEngine.sh wp-modify-ldap-security -DWasUserid=<was admin userid> -DWasPassword=<admin password> -Dwp.ac.impl.PDAdminPwd=<Pdadmin password>
Appendices
A. References
Release Notes for ITAM 6.1:
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itame.doc/am611_relnotes.htm
ITAM 6.1 installation guide:
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame.doc/am611_install.pdf
IBM HTTP Server installation guide:
ftp://public.dhe.ibm.com/software/webserver/appserv/library/v70/ihs_70.pdf
For windows installation refer the following link:
http://www.ibm.com/developerworks/tivoli/library/t-ssotam/
B. Dfinitions
AMRT | Access Manager Run Time |
AMRTJ | Access Manager Runtime or Java |
AMWPM | Access Manager Web Portal Manger |
TDS Client | Tivoli Directory Server Client |
AMADK | Access Manager Development Kit |
ITIM | IBM Tivoli Identity Manager |
ITAM | IBM Tivoli Access Manager |
WAS | WebSphere Application Server |
C. Creating User and junction in TAM
Run the command ‘pdadmin’
pdadmin> Login
Enter ser ID: userID
Enter Password:
Pdadmin UserID>
Run the following commands to create groups, users, ACL and junctions:
1. Creating groups:
group create group1 cn=group1 ,dc=xyz,dc=com group1
2. Creating Users:
user create user1 cn=user1,dc=xyz,dc=com user1 user1 user1234 group1
3. Creating ACL:
acl create group1ACL
acl modify group1ACL set group group1 Tr
4. Creating junction:
server task <webseal instance name> create -t tcp -c iv_user -h <target host name> -p 80 /<junction_name>
Name of the object to be attached to the acl is derived by commands as shown below in the padmin:
pdadmin userID> object list
/Management
/WebSEAL
pdadmin userID> object list /WebSEAL
/WebSEAL/<hostname>-default
5. Attaching ACL:
acl attach /WebSEAL/<hostname>-default/junction_name/context root group1ACL
About the author
Ashutosh Rajput
I am currently working as Technical lead with IBM and has 9 years of experience in Java/J2EE technologies including Rational, WebSphere and Tivoli Products
I hold Master of Computer Application (MCA) degree and I am Sun certified Java Programmer (SCJP), Sun Certified Web Component Developer (SCWCD), and Sun Certified Business Component Developer (SCBCD).