Configuring Security Access Manager for authentication, authorization, and the Credential Vault | HCL Digital Experience
You can configure Security Access Manager for authentication, authorization, and the vault adapter with one task.
About this task
Procedure
- Start the Security Access Manager policy and authorization servers, which are mandatory for successful configuration and for single sign-on (SSO) to occur.
-
Create your junctions on the WebSEAL server. Refer to the IBM Security
Access Manager for e-business documentation for guidance on junction
creation. Complete the following steps to create a virtual host TCP junction:
- Optional:
If you plan to use an SSL junction, more steps are needed before you can create the
junction. The necessary key and truststore must be set up with the correct certificates to
enable SSL. Follow the instructions in steps 1 - 3 of the topic about configuring
SSL. Then, complete the following steps to create the virtual host
junction:
- Use the IBM® Key Management utility to load the web server certificate into the key ring for the appropriate instance of WebSEAL. See the HTTP Server documentation for more details.
- Restart WebSEAL.
- Follow the steps that are mentioned earlier to create the junction. But change the -t value to ssl and add the appropriate set of options from the Mutually Authenticated SSL junctions portion of the WebSEAL Administration Guide: -B, -D, -K, -U, and -W.
-
Enter the following tasks on the pdadmin command to create
the trusted user account.
Tip: This step is mandatory for TAI junctions only. Skip this step if you created an LTPA junction. An LTPA junction is created when you use the -A parameter. Refer to the Security Access Manager for e-business documentation for this advanced configuration.The trusted user account in the Security Access Manager user registry must be the same as the one that the TAI within WebSphere® Application Server is configured to use. It is the ID that WebSEAL uses to identify itself to WebSphere® Application Server by using the -b supply option, and it is one of the underlying TAI security requirements.Note: To prevent potential vulnerabilities, do not use the
sec_master
orwpsadmin
users for the trusted user account. The trusted user account must be a dedicated user account for the purposes of communication between WebSEAL and the TAI.- pdadmin> user create webseal_userid webseal_userid_DN firstname surname password
- pdadmin> user modify webseal_userid account-valid yes
-
Clustered environments: Complete this step on all nodes.Run the following task in the wp_profile_root/ConfigEngine directory to validate that the PdPerm.properties file is correct and that communication between HCL Portal and the Security Access Manager server works:Tip: Run the validate-pdadmin-connection task on the HCL Portal node or on each node in a clustered environment. In a clustered environment, WasPassword is the Deployment Manager administrator password. The wp.ac.impl.PDAdminPwd is the Security Access Manager administrative user password.
Table 1. Task to validate that the PdPerm.properties file exists by operating system Operating system Task AIX® ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
HP-UX ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
IBM® i ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDdAdminPwd=password
Linux™ ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
Solaris ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
Windows™ ConfigEngine.bat validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
z/OS® ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
If the task does not run successfully: Run the run-svrssl-config task to create the properties file. For information, refer to Creating the PdPerm.properties file. Then, run the validate-pdadmin-connection task again. If the task is not successful after a second attempt, do not proceed with any subsequent steps. The fact that the task does not run successfully indicates that your portal cannot connect to the Security Access Manager server. Troubleshoot the connectivity issue between your portal instance and the Security Access Manager server. -
Use a text editor to open the wkplc_comp.properties file in the
following directory:
- AIX® HP-UX Linux™ Solaris: wp_profile_root/ConfigEngine/properties
- IBM® i: wp_profile_root/ConfigEngine/properties
- Windows™: wp_profile_root\ConfigEngine\properties
Clustered environments: Complete this step on all nodes. -
Updating properties in the wkplc_comp.properties.
-
Update the Namespace management parameters in the wkplc_comp.properties file for Advanced Security Configuration by using External Security Managers
-
For wp.ac.impl.EACserverName, type the Namespace context
information to further distinguish externalized portal role names from other
role names in the namespace.Note: If set, wp.ac.impl.EACcellName and wp.ac.impl.EACappname must also be set. All three parameters must be set or none of them.
- For wp.ac.impl.EACcellName, type the Namespace context
information to further distinguish externalized portal role names from other
role names in the namespace.Note: If set, wp.ac.impl.EACserverName and wp.ac.impl.EACappname must also be set.
- For wp.ac.impl.EACappname, type the Namespace context
information to further distinguish externalized portal role names from other
role names in the namespace.Note: If set, wp.ac.impl.EACcellName and wp.ac.impl.EACserverName must also be set.
- For wp.ac.impl.reorderRoles, type false to keep the role order or true to reorder the roles by resource type first.
-
For wp.ac.impl.EACserverName, type the Namespace context
information to further distinguish externalized portal role names from other
role names in the namespace.
- PDJrteCfg command and file system parameters
- For wp.ac.impl.TamHost under the SvrSslCfg command parameter heading in the wkplc_comp.properties file, type the Security Access Manager Policy Server that is used when you run PDJrteCfg.
-
WebSphere® Application Server WebSEAL TAI parameters
- Enter the following parameter in the
wkplc_comp.properties file; go to the WebSEAL junction
parameters heading:Cluster note: Complete this step on all nodes in the cluster. The following parameters must match on all nodes in the clustered environment. The one exception is the wp.ac.impl.PDServerName parameter.
- For wp.ac.impl.TAICreds, type the headers that are inserted by WebSEAL that the TAI uses to identify the request as originating from WebSEAL.
- Enter the following parameters in the
wkplc_comp.properties file; go to the WebSEAL TAI
parameters heading:Cluster note: Complete this step on all nodes in the cluster. The following parameters must match on all nodes in the clustered environment. The one exception is the wp.ac.impl.PDServerName parameter.
- Optional: For wp.ac.impl.hostnames, type the host name that sets the WebSEAL TAI's host name parameter. This value must match the -h and -p parameters from the junction creation command.
- Optional: For wp.ac.impl.ports, type the port that is used to set the WebSEAL TAI's ports parameter. This value must match the -p parameter from the junction creation command.
- For wp.ac.impl.loginId, type the reverse proxy identity that is used when you create a TCP junction. This value must match the trusted user account.
- Enter the following parameter in the
wkplc_comp.properties file; go to the WebSEAL junction
parameters heading:
- Update the following parameters in the
wkplc_comp.properties file; go to the Portal authorization
parameters heading:
- For wp.ac.impl.PDRoot, type the root object space name in the Security Access Manager namespace for the resource entries for this portal. All Portal roles are installed with this entry. For multiple profiles and portal instances that all share a common Security Access Manager instance, choose a unique name for each root object space entry. This unique name helps to easily distinguish the resources for different instances. Or use a common PDRoot value for all Portal instances so that all Portal roles from any instance have a common parent. You can then use the EACappname parameter to distinguish between instances. If it better suits your administration models, you can also mix these two approaches, by using a common PDRoot value for some instances, and unique PDRoot values for others.
- For wp.ac.impl.PDAction, type the Custom Action created by the Security Access Manager external authorization plug-in. The combination of the action group and the action determines the Security Access Manager permission string. The permission string is used to assign membership to externalized portal roles. You might want to check with your Security Access Manager administrator to determine what they want the PDActionGroup and PDAction values to be.
- For wp.ac.impl.PDActionGroup, type the Custom Action group that is created by the Security Access Manager external authorization plug-in. The combination of the action group and the action determines the Security Access Manager permission string. The permission string is used to assign membership to externalized portal roles.
- For wp.ac.impl.PDCreateAcl, set the value to true to automatically create and attach a Security Access Manager ACL when HCL Portal externalizes the roles for a resource. Set the value to false to not create and attach a Security Access Manager ACL when HCL Portal externalizes the roles for a resource. In this case, the Security Access Manager Administrator must manually create and attach ACLs to the object space entries for the externalized portal resources and roles. Any ACLs created manually in this way, must use the PDAction and PDActionGroup values in order for the permissions to be found.
-
Enter the following parameters in the wkplc_comp.properties file; go to the Portal vault parameters heading:Cluster note: Complete this step on all nodes in the cluster. The following parameters must match on all nodes in the clustered environment. The one exception is the wp.ac.impl.PDServerName parameter.
- For wp.ac.impl.vaultType, type the new vault type identifier that represents the Tivoli® GSO lockbox vault.
- For wp.ac.impl.vaultProperties, type the file that is used to configure the vault with Security Access Manager specific user and SSL connection information.
- For wp.ac.impl.manageResources, type true if the credential vault or any custom portlets are allowed to create new resource objects in Security Access Manager. Or type false to allow only the Security Access Manager administrator to define the accessible resources to associate users with from the command line or graphical user interface.
- For wp.ac.impl.readOnly, type true to allow credential vault or any custom portlets to modify the secrets that are stored in Security Access Manager. Or type false to allow only the Security Access Manager administrator to modify the secrets from the command line or graphical user interface.
-
- Save your changes to the properties file.
- Open a command prompt and change to the wp_profile_root/ConfigEngine directory.
-
Run the following task to enable Security Access Manager authentication,
authorization, and the credential vault:
- AIX®: ./ConfigEngine.sh enable-tam-all -DWasPassword=password
- HP-UX: ./ConfigEngine.sh enable-tam-all -DWasPassword=password
- IBM® i: ConfigEngine.sh enable-tam-all -DWasPassword=password
- Linux™: ./ConfigEngine.sh enable-tam-all -DWasPassword=password
- Solaris: ./ConfigEngine.sh enable-tam-all -DWasPassword=password
- Windows™: ConfigEngine.bat enable-tam-all -DWasPassword=password
Clustered environments:- Complete this step on all nodes.
- WasPassword is the Deployment Manager administrative password.
If the task does not run successfully: Ensure the values that you specified in wkplc_comp.properties are valid. -
Complete the following steps to set the value for the systemcred.dn property:
Note: The systemcred.dn property defines the distinguished name of the vault administrative user. All system credentials are stored under the user account. For Security Access Manager, this user must be an existing Security Access Manager user. The Security Access Manager adapter checks if the user exists in Security Access Manager before the slots are accessed.
- Log on to the WebSphere® Integrated Solutions Console.
- Go to .
- Click WP CredentialVaultService.
- Under Additional Properties, click Custom properties.
- Edit the systemcred.dn property. Set the value to an existing Security Access Manager user.
- Optional: Go to Enabling user provisioning to enable user provisioning.
-
If you are using Security Access Manager integrated with HCL Digital
Experience in a stand-alone environment that does not include a web server between
WebSEAL and Portal, complete the following steps:
- Log on to the WebSphere® Integrated Solutions Console.
- Go to and then click .
- Click New and then add the com.ibm.ws.webcontainer.extracthostheaderport custom property with a value of true.
- Click OK.
- Click New and add the trusthostheaderport custom property with a value of true.
- Click OK.
- Click Save to save your changes.
- Log out of the WebSphere® Integrated Solutions Console.
- Stop and restart the appropriate servers to propagate the changes. For specific instructions, see Starting and stopping servers, deployment managers, and node agents.
-
Go to the WebSEAL node and edit the
webseald-instance.conf file for the appropriate
WebSEAL instance. An example is webseald-default.conf. This file sets
the
basicauth-dummy-passwd
value to the password for the ID that WebSEAL uses to identify itself to WebSphere® Application Server. This password is the trusted user ID and password that were created in an earlier step. Stop and start the WebSEAL server before you continue. - If your WebSEAL instance is on the Windows™ operating system, limit the length of the generated URLs. Edit the webseald-instance.conf file and change the process-root-requests property value to filter to avoid problems with WebSEAL processing.
- Some functions of HCL Digital Experience require the use of the PUT, and DELETE HTTP method. By default, WebSEAL does not allow these requests. You must either allow this method at the applicable WebSEAL ACL and web server, or change the HTTP methods in the x-method-override configuration in the WebSEAL config file webseald-instance.conf.