External Access Control Service | HCL Digital Experience
The portal External Access Control Service is responsible for collecting authorization data from external security managers, such as Computer Associates eTrust SiteMinder or IBM Security Access Manager.
In the WebSphere® Integrated Solutions Console, the portal External Access Control Service is listed as WP ExternalAccessControlService.
In the portal External Access Control Service, you can modify the configuration properties listed in the following. However, plan well ahead and apply special care when modifying these properties.
General properties of the External Access Control Service
These properties are used for general purposes of the External Access Control Service.
- externalaccesscontrol.ready = (false)
- This property indicates whether the configuration in this file
has been configured to connect to the External Security Manager. The
default value is
false
. - externalaccesscontrol.server = HCL Portal and HCL Web Content Manager
- externalaccesscontrol.application = WPS
- externalaccesscontrol.cell = cell
- Role name representations are qualified with a context built
by these three properties. For example, the Administrator@External_Access_Control/xxx/xxx
is represented as follows:
- Security Access Manager: Protected object space entry
/WPSv6/Administrator@External_Access_Control/xxx/xxx/WPS/HCL Portal and HCL Web Content Manager/cell
- eTrust SiteMinder:
resource/subrealms under Domain: WebSphere Portal v8 /cell/HCL Portal and HCL Web Content Manager/WPS/Administrator@External_Access_Control/xxx/xxx
Access Manager configuration
Use the following properties to configure the connection between HCL Portal and your Tivoli Access Manager.
- externalaccesscontrol.pdroot = (/WPSv6)
- After you completed the
AMJRTE
andSrvSslCfg
configuration tasks, the following directives are required to allow HCL Portal to use Tivoli Access Manager as an External Security Manager. Provide the root of your Protected Object Space for Portal Server entries. - externalaccesscontrol.pduser = sec_master
- externalaccesscontrol.pdpw = passw0rd
- Use these properties to provide an administrative user ID and
password with adequate rights in Tivoli to create, delete, modify
the objects in the Protected Object Space. You can use the WebSphere® Application Server PropFilePasswordEncoder
utility to mask the password. Using PropFilePasswordEncoder will remove
any comments and uncommented properties. Therefore create a back up
copy of this file for future reference. Example for AIX® IBM® i Linux™ Solaris Windows™:
AppServer_root/bin/PropFilePasswordEncoder wp_profile_root/PortalServer/config/properties/ExternalAccessControlService.properties externalaccesscontrol.pdpw
Example for z/OS®:
AppServer_root/bin/PropFilePasswordEncoder wp_profile_root/PortalServer/config/properties/ExternalAccessControlService.properties externalaccesscontrol.pdpw
Note: This command should be typed on one line in a command line window. - externalaccesscontrol.pdurl=file:///${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties
- Use this property to specify the URL location of the Access Manager
properties file for AMJRTE. This URL must be in the format
file:///directory_path_to_properties_file
. HTTP URLs are not supported. - externalaccesscontrol.createAcl = (true)
- This property is optional. Use this property to specify whether Access Control Lists (ACLs) are
created in Access Manager for roles that are stored
externally. The default is
true
. If this property is set tofalse
, the Access Manager administrator will be responsible for all ACL linkages between Security Access Manager and HCL Portal. Possible values for this property are:- true
- A Security Access Manager ACL will be created for every HCL Portal resource. This is the default.
- false
- No ACLs will be created for portal objects.
- externalaccesscontrol.pdactiongroup = ([WPS])
- externalaccesscontrol.pdAction = (m)
- These properties are optional. Use these properties to specify the action group and the customized actions to map to portal role membership. If these items do not exist, they will be created at startup. The values previously given are the default values.
Computer Associates eTrust SiteMinder policy server information
- externalaccesscontrol.domainname = WebSphere Portal V 8
- Use this property to specify the domain name that is to be created in the eTrust SiteMinder administrative GUI. All realms and sub-realms will be created under this domain. This domain will be created when starting HCL Portal.
- externalaccesscontrol.scheme = (Basic)
- Use this property to specify the scheme that is
to be to associated with the realms. You must
define this scheme in eTrust SiteMinder
before starting HCL Portal. The default
value is
Basic
. - externalaccesscontrol.agentname = wpsagent
- externalaccesscontrol.agentsecret = passw0rd
- Use these properties to specify the agent name
and secret to establish a run time connection with
eTrust SiteMinder. The agent should be a
web agent with a static shared secret, so that Web
Agents later than Version 4.6 of WebAgents should
enable the property
supports 4.x agents
on the eTrust SiteMinder web agent. You can use the WebSphere® Application Server PropFilePasswordEncoder utility to mask the password.Note: Using PropFilePasswordEncoder removes all comments and all properties that are commented out. Therefore make sure you create a back up copy of this file for future reference before using the PropFilePasswordEncoder utility.An example of masking the password is:
AppServer_root/bin/PropFilePasswordEncoder wp_profile_root/PortalServer/config/properties/ExternalAccessControlService.properties externalaccesscontrol.agentsecret
Note: Type this command on one line in a command line window. - externalaccesscontrol.admin = siteminder
- externalaccesscontrol.password = passw0rd
- Use these properties to specify the
administrative user ID and password for a user who
can create, delete, and modify eTrust
SiteMinder objects that are used to represent
HCL Portal roles. This user ID must have
sufficient access to domain level objects in
eTrust SiteMinder. You can use the
WebSphere® Application Server
PropFilePasswordEncoder utility to mask the
password. Note: Using PropFilePasswordEncoder removes all comments and all properties that are commented out. Therefore make sure you create a back up copy of this file for future reference before using the PropFilePasswordEncoder utility.
An example of masking the password is:
AppServer_root/bin/PropFilePasswordEncoder wp_profile_root/PortalServer/properties/ExternalAccessControlService.properties externalaccesscontrol.password
AppServer_root/bin/PropFilePasswordEncoder wp_profile_root/PortalServer/config/ExternalAccessControlService.properties externalaccesscontrol.password
- externalaccesscontrol.userdir = (User Directory 1)
- Use this property to specify the User Directory that is associated with the domain. You can configure the failover for user directories in the eTrust SiteMinder administrative GUI. The user directory must exist before you start HCL Portal.
- externalaccesscontrol.failOver = (false)
- Use this property to specify whether the ESM
subsystem should switch to another Policy Server
if it cannot contact the current one. Possible
values are
true
andfalse
. You can specify this property as eitherexternalaccesscontrol.failOver
or asexternalaccesscontrol.failover
.Note: It is important that this value and the number of Policy Server IP addresses that are specified by theservers
property are carefully coordinated. If you specify multiple Policy Server addresses on theservers
property, and this property is set tofalse
, then the Computer Associate's Agent API will follow round-robin load balancing, by distributing or spraying requests between the configured Policy Servers. This may be appropriate for a TAI which is only doingread
operations from the Policy Server(s), but not forwrite
operations . If you have multiple servers defined in theexternalaccesscontrol.servers
property (following next), setfailOver
totrue
. - externalaccesscontrol.servers = server1,server2, . . .
- Use this property to specify the IP addresses of
all the Policy Servers. Multiple addresses need to
separated by commas. An example is:
servers=10.0.0.1,10.0.0.2
.Note: If you have multiple servers defined in theexternalaccesscontrol.servers
property, set thefailOver
property totrue
.You can define the following properties for each server. In order to differentiate the properties for each server, specify the keys in the formatServer IP address.key=value
. The defaults are assumed for any keys that you omit. The available keys are as follows:- accountingPort = (44441)
- The accounting port for the Policy Server. The default is 44441.
- authenticationPort = (44442)
- The authentication port for the Policy Server. The default is 44442.
- authorizationPort = (44443)
- The authorization port for the Policy Server. The default is 44442.
- connectionMax = (10)
- The maximum number of connections which the authorization service may make to this Policy Server. The default is 10.
- connectionMin = (1)
- The initial number of connections which the authorization service will establish with this Policy Server. The default is 1.
- connectionStep = (1)
- The number of connections that are to be allocated if the authorization service runs out of connections to the Policy Server. The default is 1.
- timeout = (20)
- The connection timeout in seconds. The default is 20.
10.0.0.1.accountingPort=44441 10.0.0.1.authenticationPort=44442 10.0.0.1.authorizationPort=44443 10.0.0.1.connectionMax=30 10.0.0.1.connectionMin=10 10.0.0.1.connectionStep=5 10.0.0.1.timeout=60