IBM Tivoli Access Manager Notes

From KnowWiki
Jump to: navigation, search

Contents

[edit] Configuring SMS

 com.tivoli.am.sms.config.DSessLogConfigurator configure()  CTGSM   server.domain.com IP CTGSM1354I   Updating the session management server logging configuration file, \E:\WebSphere\AppServer\profiles\AppSrv01\installedApps\serverCell01\DSess.ear\DSess.war\WEB-INF\server1\DSessLog.properties.
 com.tivoli.am.sms.config.AMJRTEConfigurator doPDJrteCfg()  CTGSM   server.domain.com IP CTGSM1350I   Running the Tivoli Access Manager Runtime for Java configuration command, E:\WebSphere\AppServer\java\jre\bin\java.exe -Dpd.home=E:\WebSphere\AppServer\java\jre\PolicyDirector com.tivoli.pd.jcfg.PDJrteCfg -action unconfig -java_home E:\WebSphere\AppServer\java\jre -was.
 com.tivoli.am.sms.config.AMJRTEConfigurator doPDJrteCfg()  CTGSM   server.domain.com IP CTGSM1350I   Running the Tivoli Access Manager Runtime for Java configuration command, E:\WebSphere\AppServer\java\jre\bin\java.exe -Dpd.home=E:\WebSphere\AppServer\java\jre\PolicyDirector com.tivoli.pd.jcfg.PDJrteCfg -action config -config_type full -java_home E:\WebSphere\AppServer\java\jre -host iam-t-mps.domain.com -was -port 7135 -domain Default.
 com.tivoli.am.sms.config.AMJRTEConfigurator doConfigure()  CTGSM   server.domain.com IP CTGSM1350I   Running the Tivoli Access Manager Runtime for Java configuration command, E:\WebSphere\AppServer\java\jre\bin\java.exe com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd ******** -appsvr_id SMS-serverNode01 -port 7777 -mode remote -domain Default -policysvr iam-t-mps.domain.com:7135:1 -authzsvr server.domain.com:7136:1, iam-t-rpps.domain.com:7136:1 -cfg_file \E:\WebSphere\AppServer\profiles\AppSrv01\installedApps\serverCell01\DSess.ear\DSess.war\WEB-INF\pdjrtecfg.properties -key_file \E:\WebSphere\AppServer\profiles\AppSrv01\installedApps\serverCell01\DSess.ear\DSess.war\WEB-INF\pdjrtecfg.jks.
 com.tivoli.am.sms.config.AMJRTEConfigurator configureKeyFiles()  CTGSM   server.domain.com IP CTGSM1351I   Creating SSL key files, E:\WebSphere\AppServer\profiles\AppSrv01\etc\SMSKeyStore.jks and E:\WebSphere\AppServer\profiles\AppSrv01\etc\SMSTrustStore.jks, for Tivoli Access Manager certificate authentication.

[edit] Configuring WebSphere to communicate with Authorization and Policy Server

am51_was_guide.pdf is helpful Create TAM WebSphere Administrative User Program Files/Tivoli/Policy Director/bin

pdadmin -a sec_master -p sec_master <Tivoli Access Manager administrator password>
pdadmin sec_master>user create tamwasadmin "CN=tamwasadmin,CN=users,CN=system,CN=Default,CN=Tivoli PD Domains,DC=domain,DC=com" tamwasadmin tamwasadmin tamwasadmin<you decide>
pdadmin sec_master>user modify tamwasadmin account-valid true

PDJrteCfg Run on deployment manager first, then each node :

<WAS HOME>/bin/setupCmdLine.bat
%WAS_HOME%\java\jre\bin\java -Djava.ext.dirs -Dpd.home="%WAS_HOME%\java\jre\PolicyDirector" -cp  "%WAS_HOME%\java\jre\lib\ext\PD.jar;%WAS_HOME%\java\jre\lib\ext\ibmjceprovider.jar;%WAS_HOME%\java\jre\lib\ext\ibmpkcs.jar;%CLASSPATH%" com.tivoli.pd.jcfg.PDJrteCfg -action config -was -config_type full -host win2k3was5.domain.com

Use this if you need to unconfigure:

 %WAS_HOME%\java\jre\bin\java -Djava.ext.dirs -Dpd.home="%WAS_HOME%\java\jre\PolicyDirector" -cp  "%WAS_HOME%\java\jre\lib\ext\PD.jar;%WAS_HOME%\java\jre\lib\ext\ibmjceprovider.jar;%WAS_HOME%\java\jre\lib\ext\ibmpkcs.jar;%CLASSPATH%" com.tivoli.pd.jcfg.PDJrteCfg -action unconfig -was -config_type full -host win2k3was5.domain.com

SvrSslCfg Run on deployment manager first, then each node :

dmgr -> %WAS_HOME%\java\jre\bin\java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd sec_master -appsvr_id dmgr -appsvr_pwd tamadminpwd -port 7135 -mode remote -host win2k3was5.domain.com -policysvr win2k3was5.domain.com:7135:1 -authzsvr win2k3was5.domain.com:7136:1 -cfg_file %WAS_HOME%\java\jre\PdPerm.properties -key_file %WAS_HOME%\java\jre\lib\security\PdPerm.ks -cfg_action create
appserver1 -> %WAS_HOME%\java\jre\bin\java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd sec_master -appsvr_id appserver1 -appsvr_pwd tamadminpwd -port 7135 -mode remote -host win2k3was5.domain.com -policysvr win2k3was5.domain.com:7135:1 -authzsvr win2k3was5.domain.com:7136:1 -cfg_file %WAS_HOME%\java\jre\PdPerm.properties -key_file %WAS_HOME%\java\jre\lib\security\PdPerm.ks -cfg_action create
appserver2 -> %WAS_HOME%\java\jre\bin\java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd sec_master -appsvr_id appserver2 -appsvr_pwd tamadminpwd -port 7135 -mode remote -host win2k3was5.domain.com -policysvr win2k3was5.domain.com:7135:1 -authzsvr win2k3was5.domain.com:7136:1 -cfg_file %WAS_HOME%\java\jre\PdPerm.properties -key_file %WAS_HOME%\java\jre\lib\security\PdPerm.ks -cfg_action create
dmgr -> If this has already been run, use this to replace:  %WAS_HOME%\java\jre\bin\java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd sec_master -appsvr_id dmgr -appsvr_pwd password -port 7135 -mode remote -host win2k3was5.domain.com -policysvr win2k3was5.domain.com:7135:1 -authzsvr win2k3was5.domain.com:7136:1 -cfg_file %WAS_HOME%\java\jre\PdPerm.properties -key_file %WAS_HOME%\java\jre\lib\security\PdPerm.ks -cfg_action replace

PDWasCfg

setupCmdLine.bat for each WAS instance
set PDWAS_HOME=%WAS_HOME%
dmgr -> %WAS_HOME%\bin\pdwascfg.bat -action configWAS5 -remote_acl_user pdpermadmin -sec_master_pwd sec_master -pdmgrd_host win2k3was5.domain.com -pdacld_host win2k3was5.domain.com -was_home %WAS_HOME% -amwas_home %WAS_HOME% -embedded true -action_type local -verbose true
appserver1 -> %WAS_HOME%\bin\pdwascfg.bat -action configWAS5 -remote_acl_user pdpermadmin -sec_master_pwd sec_master -pdmgrd_host win2k3was5.domain.com -pdacld_host win2k3was5.domain.com -was_home %WAS_HOME% -amwas_home %WAS_HOME% -embedded true -action_type local -verbose true
appserver2 -> %WAS_HOME%\bin\pdwascfg.bat -action configWAS5 -remote_acl_user pdpermadmin -sec_master_pwd sec_master -pdmgrd_host win2k3was5.domain.com -pdacld_host win2k3was5.domain.com -was_home %WAS_HOME% -amwas_home %WAS_HOME% -embedded true -action_type local -verbose true

Migrate the Admin Console App and security

migrateEAR5 -j "c:\WebSphere\DeploymentManager\installedApps\was5\adminconsole.ear" -a sec_master -p sec_master -w tamwasadminpwd -d "CN=users,CN=system,CN=Default,CN=Tivoli PD Domains,DC=domain,DC=com" -c file:/"c:\WebSphere\DeploymentManager\java\jre\PdPerm.properties" -e adminconsole
migrateEAR5 -j "c:\WebSphere\DeploymentManager\config\cells\was5\admin-authz.xml" -a sec_master -p sec_master -w tamwasadminpwd -d "CN=users,CN=system,CN=Default,CN=Tivoli PD Domains,DC=domain,DC=com" -c file:/"c:\WebSphere\DeploymentManager\java\jre\PdPerm.properties"
migrateEAR5 -j "c:\WebSphere\DeploymentManager\config\cells\was5\naming-authz.xml" -a sec_master -p sec_master -w tamwasadminpwd -d "CN=users,CN=system,CN=Default,CN=Tivoli PD Domains,DC=domain,DC=com" -c file:/"c:\WebSphere\DeploymentManager\java\jre\PdPerm.properties"

Example of a successful run:

C:\WebSphere\DeploymentManager\bin>migrateEAR5 -j "c:\WebSphere\DeploymentManager\installedApps\was5\adminconsole.ear" -a sec_master -p sec_master -w tamwasadmin-d "CN=users,CN=system,CN=Default,CN=Tivoli PD Domains,DC=domain,DC=com" -c file:/"c:\WebSphere\DeploymentManager\java\jre\PdPerm.properties" -e adminconsole
AWXWS0021I   Logging all activity to the file .//pdwas_migrate.log.
AWXWS0025W   The pdwas-admin group already exists, and its members are [].
AWXWS0051E   The migrate tool has successfully completed.

[edit] Difference between Stateful UUID and server UUID

  • Stateful Junction :the client system that contains the Unique Universal Identifier (UUID) of the designated back-end server. When the client makes future requests to the same resource, this UUID information ensures that the requests are consistently routed to the same back-end server.
  • Stateful UUID : If you selected Stateful Junction, type the UUID of the back-end server.

The two fields are referring to the UUID of the back-end server. When a junction is created to a backend web server, Webseal generates a UUID to identify the backend server. That is the "Server UUID", that is populated when you go to the "Junction Server Properties".

If the junction is a stateful junction, then you need to specify in the "Stateful UUID" field which Server UUID to use.

Basically if you want a junction be stateful by always usin ONE server - put its UUID in there (if it is down it will failover). If you want to be statefull but not glued to a specific server. i.e. use the least busy algoritm to decide to which server to go and then use statefully (aka anybody from an IP goes to this server) - leave it empty

[edit] Enabling credential vault externalization

Enabling credential vault externalization may cause performance problems in portal 5.0 (5.1 too?) since portal handles the requests inefficiently.

[edit] Forms Single Sign On

There is not a way to send the TAM userid/password information to a backend resource. Also there is not a way to create a user with addl. LDAP attributes via TAM management interfaces (CLI or WPM).

Both these requirements can be solved with TIM in the picture. TIM can be configured to create an user with addl. LDAP attributes and then use the TAM agent to import that into TAM. We have done this at a few customers and there is enough ICAP on this technique.

We can also use TIM to provision the TAM userid/password as a GSO resource for your backend forms based SSO but would compromise the security of the solution. I would suggest that we investigate any alternate approaches were the backend is configured to use a dummy password for all users and simply trust the authentication performed by WebSEAL.

[edit] Installing and Configuring Tivoli Access Manager v5.1 for authentication into WAS 5

Set-up: 2 WebSeal servers 1 Policy Server / Director 1 Web Administration Machine

SETUP/INSTALL

On Win2k3
        TAM Base CD:\Windows\JRE\install.exe
        TAM Base CD:\Windows\GSKIT\setup policydirector
        TAM Base CD:\Windows\Policy Director\Disk Images\Disk 1\setup.exe
                Runtime
                Policy Server
                Authorization Server
                JRE ( only need for web interface )
                        Full install
                        JRE was IBM JRE
                Configure each one after install using the configure application
On Win2k3Was5
        TAM Base CD:\Windows\JRE\install.exe
        TAM Base CD:\Windows\Directory\setup.exe ( only choose the client )
        Web CD:\Windows\Policy Director\Disk Images\Disk 1\setup.exe
                Runtime
                        configure after install
                                ad host         win2k3.domain.com
                                                7135
                                                Active Directory
                                                not multiple domains
                                ad host         win2k3.domain.com
                                domin           dc=domain,dc=com
                                                not secure
                                                tamadmin/tamadmin
                                dn              dc=domain,dc=com
                                                enable logging checked
                                log directory   ...
Web Security Runtime ( let it reboot, it won't until after WebSEAL )

WebSEAL


        configure after install
                instance name           default
                host name               win2k3was5
                listening port          7234
                admin id                sec_master
                admin password          sec_master
                Allow http access       checked
                port                    88 ( changed because IBM HTTP Server )
                allow https             checked
                port                    444 ( changed because IBM HTTP Server )
                web doc root            default

Windows XP

        Web Portal Interface for TAM 5.1 CD ( web admin interface )
                Web Portal Interface for TAM 5.1:\Windows\JRE
                Web Portal Interface for TAM 5.1:\Windows2003\WebSphere\Windows2003\install.exe
                        Custom
                                Just turn off embedded messaging

Default for paths
Node                            winxpsp2
Host                            winxpsp2.domain.com
Log on as a services            checked
user/password                   some/some
                Manually put IBM JRE in the path - 
                Web Portal Interface for TAM 5.1:\Windows\Policy Director\Disk Images\Disk 1\setup.exe

Runtime

        After installation:
        cd \Program Files\Tivoli\Policy Director\sbin

run pdjrtecfg -active config -interactive

Full
JRE Path
host            win2k3
port            7135
domain          Default
logging         enable

run amwpmcfg -action config -interactive
                was location    c:\program files\websphere\appserver
                host            win2k3
                port            7135
                admin           sec_master
                password        sec_master
                domain          Default
if this fails due to invalid user/password, jre isn't in the path or
pdjrtecfg wasn't correct

Portal Manager

        Accept default paths

test:   http:/winxpsp2.domain.com:9080/snoop ( probably don't have to use 9080 )
test:   admin https:/win2k3was5:444/    sec_master / sec_master
test:   admin https:/win2k3was5:444/pkmslogout
test:   admin https:/win2k3was5:444/pkmspasswd

admin http://winxpsp2:9080/pdadmin
        create a user   xxx/xxx

admin http://winxpsp2:9080/pdadmin
        WebSEAL
                List Junctions ( each protected application )
                Create Junction
                        point                   /info
                        host                    winxpsp2.domain.com
                        tcp port                9080
                        win32 file..            checked
                        Basic Auth              Supply < this is the "-b supply" argument >
                        User Name (short)       checked
                        User credentials        checked

test:   admin https:/win2k3was5:444/info/snoop
Changing from basic to forms based auth:
        WebSeal server (win2k3was5)
                C:\Program Files\Tivoli\PDWeb\etc\webseald-default.conf
                [ba]
                ba-auth = none
                [forms]
                forms-auth = both
                [junction]
                basicauth-dummy-password = passw0rd < password for was_tai user >

Restart Access Manager WebSEAL service
test:   admin https:/win2k3was5:444/info/snoop ( should see iv-... items )

TAI Config.

admin http://winxpsp2:9080/pdadmin
        create a user
                user                    was_tai/passw0rd
                account valid           checked
                password valid          checked
                gso user                checked
                registry                cn=was_tai,cn=users,dc=domain,dc=com

WebSphere ( winxpsp2 )
        Security | Auth Mech | LTPA | Trust Assoc.
                check enable

Security | Auth Mech | LTPA
        password/password

Security | Auth Mech | LTPA | Trust Assoc. | Interceptors | ...WebSealTrust... | Custom properties
        com.ibm.websphere.security.trustassociation.types       WebSEAL
        com.ibm.websphere.security.webseal.loginid              was_tai
        com.ibm.websphere.security.webseal.id                   iv-user
        com.ibm.websphere.security.webseal.hostnames            win2k3was5, win2k3was5.domain.com
        com.ibm.websphere.security.webseal.ports                444
        com.ibm.websphere.security.webseal.mutualSSL            no
        com.ibm.websphere.security.webseal.ignoreProxy          true

Security | Global Security
        Enabled                                 checked
        Enforce J2ee                            unchecked
        Active Auth                             SWAM
        Active User Reg                         LDAP

Security | User Registries | LDAP
        user/pass               wasadmin/wasadmin
        type                    Active Directory
        host                    win2k3
        port                    389
        base dn                 dc=domain,dc=com
        bind dn                 cn=wasadmin,cn=Users,dc=domain,dc=com
        password                wasadmin

stopserver server1 -user wasadmin -password wasadmin
startserver server1 -user wasadmin -password wasadmin

test:   admin https:/win2k3was5:444/info/snoop

Win2k3 Setup ( Windows Server 2003 Enterprise )

Active Directory Domain Controller (netbios domain, DNS domain.com)
DHCP
DNS
Users
        domain\Administrator:password   ( Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator, Schema Admins )
                restore mode password: password
        domain\wasadmin:wasadmin        ( Domain Users )
        domain\xxxx:xxxx        ( Domain Users )
        domain\tamadmin:tamadmin        ( Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator, Schema Admins )

Win2k3was5 Setup ( Windows Server 2003 Enterprise )

WebSphere 5.1.1.5 ND (DeploymentManager, AppServer1, AppServer2)
Users
        win2k3was5\wasadmin:wasadmin    ( Administrators )
        win2k3was5\tamadmin:tamadmin    ( Administrators )
        domain\wasadmin                 ( Administrators )
        domain\tamadmin                 ( Administrators )
                Give domain\tamadmin access to the local security policy log on as a service

WinXpSp2 Setup ( Windows XP Service Pack 2 )

Users
        winxpsp2\xxxx:xxxx      ( Administrators )
        domain\xxxx                     ( Administrators )

[edit] Internal SSL

Do not enable SSL on internal in-box communication to avoid the unnecessary complexity and computational overhead

[edit] Log types

Mgmt audit log is available on PD only html - on webseal both have azn and auth.

[edit] SPNEGO authentication limitations

The following WebSEAL features are not supported with SPNEGO authentication: -POP or session-timer-based reauthentication of SPNEGO authenticated clients. -Password change using pkmspasswd. -SPNEGO clients cannot log out of WebSEAL.

Clients must log out from the workstation. Clients that access WebSEAL pkms command pages (except switch user) receive the PKMS help page.

-Reauthentication when the inactive session timer expires for SPNEGO clients. The user cache entry is deleted. Information in the header received from the SPNEGO client is used to reauthenticate. The client does not have to log in again, but the client receives a new session cache entry. -Reauthentication when a user accesses an object with a reauthentication policy attached. In this case access is denied, and user receives a message stating that reauthentication is required. The following limitation also applies: -Microsoft NT LAN Manager (NTLM) authentication is not supported. However, the Tivoli Access Manager Web Plug-in for IIS supports NTLM. WebSEAL can be deployed in an e-community single signon solution that uses the Web Plug-in for IIS to accomplish SPNEGO authentication using NTLM. -Using SPNEGO simultaneously with other authentication methods does not work with Netscape 4.7

[edit] TAIxx

When configuring tai++ pay attention to the difference in fields for was 5.1.1 (default for portal 5.1) and was 6.0

[edit] TAM as JAAC

Look here and here.

[edit] WAS.TAM Java configs

[1] chapter 10 [2]

e:/Tivoli/POLICY~1/java/export/pdwpm/pdwpm.ks
e:\WEBSPH~1\APPSER~1\java\jre\PolicyDirector\PDCA.ks

[edit] WebSEAL LDAP failover

As a general rule WebSEAL would only be able to fail over in case of a lost connection to an ldap due to a network, hardware or service failure. It would not be able to recover from a "soft" error inside of an LDAP server software, such as suffix unaccessibility. Therefore, please make sure you are up to the latest fix packs on the LDAP server. Make sure it is properly configured and monitored

[edit] Stateful Junctions

Stateful junctions allow requests from a specific session to always be sent to the same server on a junction. If the junctioned server being used is throttled, the stateful session is allowed to continue accessing that server. However, new stateful sessions are blocked from using that server. If a junctioned server is taken offline, then stateful sessions are no longer allowed to access the server. These sessions must choose a new junctioned server and possibly loose the original state information. (from am60_webseal_admin.pdf section on junction throttling)

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox