Tivoli Policy Director for WebLogic Server

Transcription

1 Tivoli Policy Director for WebLogic Server User Guide Version 3.8 SC

2

3 Tivoli Policy Director for WebLogic Server User Guide Version 3.8 SC

4 Tivoli SecureWay Policy Director for WebLogic Server User Guide Copyright Notice Copyright IBM Corporation All rights reserved. May only be used pursuant to a Tivoli Systems Software License Agreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer or License Agreement. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without prior written permission of IBM Corporation. IBM Corporation grants you limited permission to make hardcopy or other reproductions of any machine-readable documentation for your own use, provided that each such reproduction shall carry the IBM Corporation copyright notice. No other rights under copyright are granted without prior written permission of IBM Corporation. The document is not intended for production and is furnished as is without warranty of any kind. All warranties on this document are hereby disclaimed, including the warranties of merchantability and fitness for a particular purpose. U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corporation. Trademarks IBM, the IBM logo, Tivoli, the Tivoli logo, AIX, Cross-Site, NetView, OS/2, Planet Tivoli, RS/6000, Tivoli Certified, Tivoli Enterprise, Tivoli Enterprise Console, Tivoli Ready, and TME are trademarks or registered trademarks of International Business Machines Corporation or Tivoli Systems Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Notices References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that they will be available in all countries in which Tivoli Systems or IBM operates. Any reference to these products, programs, or services is not intended to imply that only Tivoli Systems or IBM products, programs, or services can be used. Subject to valid intellectual property or other legally protectable right of Tivoli Systems or IBM, any functionally equivalent product, program, or service can be used instead of the referenced product, program, or service. The evaluation and verification of operation in conjunction with other products, except those expressly designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, New York , U.S.A.

5 Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Tivoli Policy Director for WebLogic Server User Guide iii

6 iv Version 3.8

7 Contents Preface... Who Should Read This Book... vii What This Book Contains... vii Publications... vii Tivoli Policy Director Library... viii Prerequisite Publications.... viii Accessing Publications Online... viii Ordering Publications... ix Providing Feedback about Publications... ix Contacting Customer Support... ix Conventions Used in This Book... x Typeface Conventions... x Chapter 1. Introducing Policy Director for WebLogic Server... 1 Introducing Policy Director... 1 Integrating Policy Director and WebLogic Server Using Policy Director Authentication... 5 Using Policy Director Authorization... 7 Chapter 2. Installing Policy Director for WebLogic Server... 9 Software Contents... 9 Supported Platforms Installation Packages Software Prerequisites WebLogic Server vii Tivoli Policy Director for WebLogic Server User Guide v

8 Policy Director Installing Policy Director for WebLogic Server Configuring Policy Director for WebLogic Server Configuring a Custom Realm Configuring a WebSEAL Junction for the WebLogic Server Testing the Configuration Chapter 3. Using Policy Director for WebLogic Server 25 Using the Demonstration Application Creating Test Users Usage Tips Troubleshooting Tips Limitations vi Version 3.8

9 Preface Welcome to Tivoli Policy Director for WebLogic Server. This product extends Policy Director to support applications written for BEA WebLogic Server. This guide provides installation, configuration, and administration instructions. Who Should Read This Book The target audience for this administration guide includes: Security administrators System installation and deployment administrators Network system administrators IT architects What This Book Contains Publications This document contains the following chapters: Chapter 1, Introducing Policy Director for WebLogic Server Presents an overview of the authentication and authorization services provided by Policy Director for WebLogic Server. Chapter 2, Installing Policy Director for WebLogic Server Describes how to install and configure Policy Director for WebLogic Server. Chapter 3, Using Policy Director for WebLogic Server Describes how to use the demonstration application, and provides usage tips, troubleshooting information, and limitations. This section lists publications in the Tivoli Policy Director library and any other related documents. It also describes how to access Tivoli publications online, how to order Tivoli publications, and how to make comments on Tivoli publications. Tivoli Policy Director for WebLogic Server User Guide vii

10 Publications Tivoli Policy Director Library The following documents are available in the Tivoli Policy Director library: Tivoli SecureWay Policy Director Base Installation Guide, GC Tivoli SecureWay Policy Director Base Administration Guide, GC Tivoli SecureWay Policy Director Web Portal Manager Administration Guide, GC Tivoli SecureWay Policy Director Authorization ADK Developer Reference, GC Tivoli SecureWay Policy Director WebSEAL Administration Guide, GC Tivoli SecureWay Policy Director WebSEAL Developer Reference, GC Tivoli SecureWay Policy Director Release Notes, GI Prerequisite Publications To be able to use the information in this book effectively, you must have some prerequisite knowledge, which you can get from the following books: Tivoli SecureWay Policy Director Base Installation Guide, GC Tivoli SecureWay Policy Director Base Administration Guide, GC Tivoli SecureWay Policy Director Authorization ADK Developer Reference, GC Tivoli SecureWay Policy Director WebSEAL Administration Guide, GC Accessing Publications Online You can access many Tivoli publications online at the Tivoli Customer Support Web site: viii Version 3.8

11 Publications These publications are available in PDF or HTML format, or both. Translated documents are also available for some products. Ordering Publications You can order many Tivoli publications online at the following Web site: You can also order by telephone by calling one of these numbers: In the United States: In Canada: In other countries, for a list of telephone numbers, see the following Web site: Providing Feedback about Publications We are very interested in hearing about your experience with Tivoli products and documentation, and we welcome your suggestions for improvements. If you have comments or suggestions about our products and documentation, contact us in one of the following ways: Send an to pubs@tivoli.com. Complete our customer feedback survey at the following Web site: Contacting Customer Support If you have a problem with any Tivoli product, you can contact Tivoli Customer Support. See the Tivoli Customer Support Handbook at the following Web site: Tivoli Policy Director for WebLogic Server User Guide ix

12 Contacting Customer Support The handbook provides information about how to contact Tivoli Customer Support, depending on the severity of your problem, and the following information: Registration and eligibility Telephone numbers and addresses, depending on the country you are in What information you should gather before contacting support Conventions Used in This Book This book uses several conventions for special terms and actions, operating system-dependent commands and paths, and margin graphics. Typeface Conventions The following typeface conventions are used in this book: Bold Italic Monospace Lowercase and mixed-case commands, command options, and flags that appear within text appear like this, in bold type. Graphical user interface elements (except for titles of windows and dialogs) and names of keys also appear like this, in bold type. Variables, values you must provide, new terms, and words and phrases that are emphasized appear like this, in italic type. Commands, command options, and flags that appear on a separate line, code examples, output, and message text appear like this, inmonospace type. Names of files and directories, text strings you must type, when they appear within text, names of Java methods and classes, and HTML and XML tags also appear like this, inmonospace type. x Version 3.8

13 1 Introducing Policy Director for WebLogic Server 1. Introducing Policy Director for WebLogic Server Policy Director for WebLogic Server is an extension to Policy Director Version 3.8 that implements a Policy Director Custom Realm for BEA WebLogic Server 6.1. The Custom Realm provides a user registry that is administered by Policy Director. Policy Director uses group memberships in the user registry to affect authorization decisions made by WebLogic Server. The Custom Realm can also be used with Policy Director WebSEAL to support end-user single sign-on. Policy Director for WebLogic Server enables WebLogic Server applications to use Policy Director security without requiring any coding or deployment changes. Introducing Policy Director The Policy Director for WebLogic Server implements a Custom Realm using the security services provided by a Policy Director secure domain. The Policy Director secure domain must be deployed prior to installation of Policy Director for WebLogic Server. Users who are new to Policy Director should review the Policy Director security model before deploying a Policy Director secure domain. A brief summary of the Policy Director security model is presented here. Tivoli Policy Director for WebLogic Server User Guide 1

14 Introducing Policy Director Policy Director is a complete authorization and network security policy management solution that provides end-to-end protection of resources over geographically dispersed intranets and extranets. Policy Director features state-of-the-art security policy management. In addition, Policy Director supports authentication, authorization, data security, and resource management capabilities. You use Policy Director in conjunction with standard Internet-based applications to build highly secure and well-managed intranets and extranets. At its core, Policy Director provides: An authentication framework Policy Director supports a wide range of authentication mechanisms. An authorization framework Policy Director provides a framework for authorization policy management. Authorization policy is managed centrally and distributed automatically to access enforcement points across the enterprise, including the Policy Director servers. The Policy Director authorization service provides permit and deny decisions on access requests for native Policy Director servers and third-party applications. Policy Director WebSEAL is the Policy Director resource security manager for Web-based resources. WebSEAL is a high performance, multi-threaded Web server that applies fine-grained security to protected web resources. WebSEAL can provide single sign-on solutions and incorporate back-end Web application server resources into its security policy. You can learn more about Policy Director, including information necessary to make deployment decisions, by reviewing the documentation distributed with Tivoli SecureWay Policy Director Version 3.8. Start with the following guides: Tivoli SecureWay Policy Director Base Installation Guide, GC This guide describes how to plan, install, and configure a Policy Director secure domain. A series of easy installation scripts enable you to quickly deploy a fully functional secure domain. 2 Version 3.8

15 Introducing Policy Director These scripts are very useful when prototyping a secure domain that meets your security policy requirements. Tivoli SecureWay Policy Director Base Administration Guide, GC This document presents an overview of the Policy Director security model for managing protected resources. This guide also describes how to configure the Policy Director servers that make access control decisions. In addition, detailed instructions describe how to perform important tasks such as declaring security policies, defining protected object namespaces, and administering user and group profiles. 1. Introducing Policy Director for WebLogic Server Tivoli SecureWay Policy Director WebSEAL Administration Guide, GC This guide provides a comprehensive set of procedures and reference information for managing resources in a secure Web domain. The guide also presents overview and concept material that describes the wide range of WebSEAL functionality. Tivoli SecureWay Policy Director Authorization ADK Developer Reference, GC This guide describes how to use the Policy Director authorization API to add security to third party applications. This document includes a description of the svrsslcfg utility. This utility is used during the configuration of Policy Director for WebLogic Server. The Policy Director documentation is included on the Tivoli SecureWay Policy Director Version 3.8 CD-ROMs, and is also available from the Tivoli Customer Support web site. See Accessing Publications Online on page viii. Integrating Policy Director and WebLogic Server The integration of Policy Director with WebLogic Server 6.1 enables WebLogic applications to take advantage of the following Policy Director features: Centralized access control of WebLogic resources in the following way: Tivoli Policy Director for WebLogic Server User Guide 3

16 Integrating Policy Director and WebLogic Server v v Changing a user s group memberships alters their access privileges to WebLogic s Java 2 Enterprise Edition (J2EE) resources in accordance with the group-to-role mappings contained in the deployment descriptors for each WebLogic Server application. WebSEAL controls access to Uniform Resource Locators (URLs) that correspond to objects in the Policy Director policy database. These can be static URL strings or can be represented by pattern matching. Integrated authorization is achieved by WebLogic Server s use of the Policy Director for WebLogic Server Custom Realm to determine which users belong to the groups that are mapped to the J2EE application s security roles. This means that a Policy Director administrator can affect the authorization decisions of WebLogic Server through group membership within the Policy Director registry. Centralized user registry used by the Policy Director management server and WebLogic Server. The Policy Director Version 3.8 product distribution includes IBM SecureWay Directory The Policy Director for WebLogic Server Custom Realm allows this registry, as well as other third-party registries that are supported by Policy Director Version 3.8, to be used as the WebLogic registry. Single sign-on through the use of Policy Director WebSEAL. Single Sign-on is achieved by combining the one-time user authentication of WebSEAL with the validation of user identity by the Policy Director for WebLogic Server Custom Realm. This allows many authentication mechanisms, including certificates, to be used without any impact to the target application. The WebLogic server s trust of WebSEAL is achieved through a combination of a WebSEAL junction and the use of the Policy Director for WebLogic Server Custom Realm. A junction is a network connection between a WebSEAL server and an application server, such that: 1. There is trust between WebSEAL and the application server. 4 Version 3.8

17 Integrating Policy Director and WebLogic Server 2. WebSEAL protects both its own resources and the resources on the junctioned application server. Using Policy Director Authentication Internal Browser 1B WebLogic Server 6.1 J2EE Application Deployment Descriptors 1. Introducing Policy Director for WebLogic Server External Browser 1A Policy Director WebSEAL 2 3 WebLogic User Authentication A WebLogic Access Managers Policy Director Management Server 5 4 B Policy Director Custom Realm for WebLogic Server Policy Database Figure 1. Policy Director provides single sign-on authentication and a Custom Realm for authorization decisions Figure 1 displays the model for the processing of requests for access to protected resources. Requests can come from either external users or internal users. Authenticating External Users 1. An external user requests access to a protected resource. The request is received by WebSEAL before entering the secure network of the enterprise. (See Figure 1, arrow 1A) 2. WebSEAL authenticates the user in the Policy Director secure domain. (See Figure 1, arrow 2) Tivoli Policy Director for WebLogic Server User Guide 5

18 Integrating Policy Director and WebLogic Server WebSEAL supports the following authentication methods: username/password, certificates, username and RSA SecureID, or a custom authentication mechanism. Once authenticated, WebSEAL applies its own authorization decision based on the requested URL and the Policy Director access policy. WebSEAL can apply considerations such as account validity, time-of-day, and authentication mechanism. 3. Once authorized, WebSEAL forwards the request to the WebLogic server. The request includes the external username and a special password within the basic authentication header. The special password belongs to the configured user, and allows the Policy Director for WebLogic Server Custom Realm to confirm WebSEAL as the origin of the request. (See Figure 1, arrow 3) 4. The WebLogic server transparently passes the authenticated user identity and password to the Policy Director Custom Realm. (See Figure 1, arrow 4) 5. The Policy Director Custom Realm uses Policy Director authentication services to verify that the password provided by WebSEAL is correct for the configured user described above. That is, this password provides the basis of trust that the request s origin is WebSEAL. (See Figure 1, arrow 5) The request is now ready for authorization. Authenticating Internal Users Figure 1 also displays the model for the processing of requests for access to protected resources by internal users that do not go through a WebSEAL junction: 1. (1B) Internal user sends request for access to a protected resource. (See Figure 1, arrow 1B) 2. The WebLogic user authentication module sends the user identity to the Policy Director Custom Realm. (See Figure 1, arrow 4) 3. The Policy Director Custom Realm sends the authentication request to the Policy Director management server. (See Figure 1, arrow 5) 6 Version 3.8

19 Integrating Policy Director and WebLogic Server If authentication is successful, the Policy Director Custom Realm returns the username to WebLogic Server, as the authenticated user. The request is now ready for authorization. Using Policy Director Authorization The authorization process occurs as follows: 1. When a request for a J2EE resource is received by WebLogic Server, it checks the relevant deployment descriptor information to determine if access to the resource is restricted to certain roles. (See Figure 1, arrow A) 2. If the request requires the user to assume a role, the WebLogic Server queries the Policy Director Custom Realm to determine whether the requesting user is a member of any of the groups that are mapped to the role. (See Figure 1, arrow B) 3. The Policy Director Custom Realm consults the Policy Director management server to determine if the current user is a member of the group. If the user is a member of a group that is mapped to a permitted role, access is granted. Otherwise, access is denied. (See Figure 1, arrow 5) 1. Introducing Policy Director for WebLogic Server Tivoli Policy Director for WebLogic Server User Guide 7

20 Integrating Policy Director and WebLogic Server 8 Version 3.8

21 2 Installing Policy Director for WebLogic Server This chapter contains the following topics: Software Contents Supported Platforms on page 10 Installation Packages on page 10 Software Prerequisites on page 10 Installing Policy Director for WebLogic Server on page 14 Configuring Policy Director for WebLogic Server on page 15 Configuring a Custom Realm on page 17 Configuring a WebSEAL Junction for the WebLogic Server on page 22 Testing the Configuration on page Installing Policy Director for WebLogic Server Software Contents Policy Director for WebLogic Server is distributed as one installation package. The installation package consists of the following: A JAR file, PDWLS_Realm.jar, containing the Policy Director Custom Realm and all the resources needed by the realm. An EAR file containing a demonstration enterprise application. Tivoli Policy Director for WebLogic Server User Guide 9

22 Supported Platforms Supported Platforms Policy Director for WebLogic Server is supported on the following platforms: Operating System Release AIX Microsoft Windows 2000 Advanced Server, with Service Pack 2 WebLogic Server Release WebLogic Server 6.1, with Service Pack 1 WebLogic Server 6.1, with Service Pack 2 Installation Packages The installation package is available as a software download from the following URL: policy_dir/downloads.html A valid login and password is required to access the Tivoli Customer Support software download site. Software Prerequisites Successful installation of Policy Director for WebLogic Server requires the prerequisites described in the following sections: WebLogic Server Policy Director on page 11 WebLogic Server WebLogic Server 6.1 must be installed and configured on the system that will host Policy Director for WebLogic Server. WebLogic Server 6.1 is currently installed without a default Custom Realm and is launched using the startweblogic command. WebLogic Server should be running when Policy Director for WebLogic Server is installed. To start WebLogic Server, use startweblogic command. 10 Version 3.8

23 Software Prerequisites WebLogic Server is distributed with the necessary Java Runtime Environment (JRE). Policy Director for WebLogic Server uses this same JRE. Successful installation of WebLogic Server satisfies the Policy Director for WebLogic Server prerequisite for a JRE. Java Environment on AIX On AIX systems, WebLogic Server 6.1 requires IBM Java Runtime Environment (JRE), Version 1.3. WebLogic Server 6.1 distributes this JRE, and installs it during the WebLogic Server installation. Policy Director for WebLogic Server uses this same version of the JRE. Policy Director for WebLogic Server uses Java Native Interface (JNI) code. Ensure that the AIX environment is configured as described in: /<BEA install dir>/jdk130/readme.html Policy Director Policy Director for WebLogic Server has dependencies on other Policy Director software, as described in the following sections: Policy Director Management Server and Authorization Server Policy Director WebSEAL on page 12 Policy Director Runtime Environment and Authorization ADK on page 13 Policy Director Base Fixpack 3 for Version 3.8 on page 13 Policy Director WebSEAL Fixpack 1 for Version 3.8 on page Installing Policy Director for WebLogic Server Policy Director Management Server and Authorization Server A Policy Director Version 3.8 secure domain must be installed and configured prior to installing Policy Director for WebLogic Server. The Policy Director secure domain is established when you install the Tivoli SecureWay Policy Director management server. This management server is distributed on the Tivoli SecureWay Policy Director Base Version 3.8 CD-ROM for your operating system. Tivoli Policy Director for WebLogic Server User Guide 11

24 Software Prerequisites Policy Director supports two different modes of authorization: remote mode and local mode. The Policy Director authorization server must be installed if you choose to run Policy Director for WebLogic Server in remote mode. Although you can use either mode with Policy Director for WebLogic Server, remote mode is strongly recommended. For a complete discussion of remote and local mode, see the Tivoli SecureWay Policy Director Base Administration Guide. Typically, the Policy Director management server and authorization server are installed on a different system than the system that hosts Policy Director for WebLogic Server. See the Tivoli Secureway Policy Director Base Installation Guide for installation and configuration instructions for Policy Director management server and Policy Director authorization server. This document is included on the Tivoli SecureWay Policy Director Base Version 3.8 CD-ROM for your operating system. Note: The Policy Director management server must be updated with Base Fixpack 3. See Policy Director Base Fixpack 3 for Version 3.8 on page 13. Policy Director WebSEAL Policy Director WebSEAL provides web-based security services that can be used by Policy Director for WebLogic Server. Policy Director for WebLogic Server, when combined with WebSEAL junctions, can be used to provide a WebSEAL to WebLogic Server single sign-on solution. Policy Director WebSEAL is typically installed on a system other than the system that hosts Policy Director for WebLogic Server. Policy Director WebSEAL requires that Policy Director management server be installed and configured. For complete installation instructions, see the Tivoli Secureway Policy Director WebSEAL Installation Guide. This guide is distributed on the Tivoli SecureWay Policy Director WebSEAL Version 3.8 CD-ROM. 12 Version 3.8

25 Software Prerequisites Note: Policy Director WebSEAL must be updated with WebSEAL Fixpack 1. See Policy Director WebSEAL Fixpack 1 for Version 3.8. Policy Director Runtime Environment and Authorization ADK The following components from the Policy Director Base must be installed on the system that will host Policy Director for WebLogic Server: Policy Director Version 3.8 Runtime Environment Policy Director Version 3.8 Authorization ADK Policy Director Base Fixpack 3 The Policy Director secure domain must be established prior to installing these components on the system that will host Policy Director for WebLogic Server. Policy Director Base Fixpack 3 for Version 3.8 Each Policy Director system must be updated with Base Fixpack 3 for Version 3.8. You must obtain and install the Fixpack for your operating system. The fixpack is titled FixPack 3.8-POL Download and install the Policy Director Fixpack 3 from the following URL: Tivoli_SecureWay_Policy_Director_.html You will need a login and password from Tivoli Customer Support to access this web page. 2. Installing Policy Director for WebLogic Server Policy Director WebSEAL Fixpack 1 for Version 3.8 Each Policy Director WebSEAL server system must be updated with WebSEAL Fixpack 1 for Version 3.8. You must obtain and install the Fixpack for your operating system. The fixpack is titled FixPack 3.8-PWS Download and install the Policy Director WebSEAL Fixpack 1 from the following URL: Tivoli Policy Director for WebLogic Server User Guide 13

26 Software Prerequisites Tivoli_SecureWay_Policy_Director_.html You will need a login and password from Tivoli Customer Support to access this web page. The fixpack is also available from the following ftp site: ftp://ftp.tivoli.com/support/patches/patches_3.8/ Installing Policy Director for WebLogic Server Complete the following steps on the system that hosts WebLogic Server: 1. Verify that the software prerequisites have been satisfied, as described in Software Prerequisites on page 10. In particular, verify that: WebLogic Server is installed, configured, and running on the host system. The Policy Director secure domain has been established, and a WebSEAL server has been installed, within the network environment. A Policy Director WebSEAL server has been configured and is accessible. The necessary fixpacks have been applied to the Policy Director management server and Policy Director WebSEAL. 2. Install and configure the following Policy Director components: Policy Director Runtime Environment Policy Director Authorization ADK For complete installation instructions, see the Tivoli Secureway Policy Director Base Installation Guide. 3. Download the Policy Director for WebLogic Server files as described in Installation Packages on page Unpack the distribution files as specified in the README file that accompanies the download packages. Place the files in a temporary directory. 14 Version 3.8

27 Installing Policy Director for WebLogic Server 5. Continue to Configuring Policy Director for WebLogic Server Configuring Policy Director for WebLogic Server Policy Director for WebLogic Server must be registered with the Policy Director secure domain as a Policy Director authorization API application. Use the Policy Director utility svrsslcfg to complete the registration. Usage of this utility is summarized below. For complete information on svrsslcfg, see the Tivoli Secureway Policy Director 3.8 Authorization ADK Developer Reference. In addition, see the README that is shipped with the Authorization ADK demonstration application. This application is installed as part of the Policy Director Authorization ADK installation. The svrsslcfg syntax is: svrsslcfg -config -f cfg_file -d kdb_dir -n server_name -s server_type -r port -P admin_pwd -S server_password Note that file names must be specified as full pathnames, not relative paths. The following table describes the command line options: 2. Installing Policy Director for WebLogic Server Option cfg_file kdb_dir server_name server_type port_num Description Configuration file path and name. The directory that is to contain the keyring database files for the server. The name of the server. The name may be specified as either server_name/hostname or server_name, in which case the local hostname will be appended to form name/hostname. The names ivacld, secmgrd, and ivweb are reserved for Policy Director servers. The type of server being configured. The value must be either local or remote. Set the listening port number for the server. A value of 0 may be specified only if the [aznapi-adminservices] stanza in the configuration file is empty. Tivoli Policy Director for WebLogic Server User Guide 15

28 Configuring Policy Director for WebLogic Server Option admin_pwd server_pwd Description The Policy Director Administrator password. If this parameter is not specified, the password will be read from stdin. The server s password. You can request that a password be created by the system by specifying a dash (-) for the password. An example set of configuration steps would be: 1. Create the <PD work directory>, such as C:\bea\PDWLSRealm\. The <PD work directory> is a directory that will be used to store the aznapi.conf file, as well as the Policy Director SSL certificates that will be used by the WebLogic Server to communicate with the Policy Director servers. It will also be used as temporary folder. 2. Copy the sample configuration file from <Policy Director-install-dir>\example\authzn_demo\cpp configuration\ aznapi.conf to this directory as file pdwlsrealm.conf and use it as input to svrsslcfg command below. 3. Edit pdwlsrealm.conf and comment-out the line with AZN_ADMIN_SVC_TRACE. 4. Use svrsslcfg to configure Policy Director remote mode: svrsslcfg -add_replica -f cfg_file -h host_name -p port -k rank Note: This command is not required when running in local mode. Running in remote mode is recommended. The following options are used: Option cfg_file host_name Description Configuration file path and name. This is a required parameter. TCP hostname of the Policy Director authorization server. This parameter is required. 16 Version 3.8

29 Configuring Policy Director for WebLogic Server Option server_port replica_rank Description Listening port number of the ivacld (authorization server) replica server. This id the port number on which ivacld listens for requests. If not specified on an -add_replica action, a default of 7136 will be used. Replica order of preference among other replicas. This parameter defaults to 10 on the -add_replica action. 5. Use svrsslcfg to create the aznapi configuration file: svrsslcfg -config -f c:\bea\pdwlsrealm\pdwlsrealm.conf -d c:\bea\pdwlsrealm -n pdwlsrealm -s remote -P <sec_master password> -S <PD-WLS-password> -r 0 6. View the new Policy Director server by issuing the command: pdadmin> server list 7. Continue to the next section: Configuring a Custom Realm. Configuring a Custom Realm The following table provides a key to the variables that are referred to in this section: 2. Installing Policy Director for WebLogic Server Variable <BEA domain directory> <webseald server name> <PD Realm> Description Directory of the installed domain of the WebLogic Server. In a standard installation this value would be: Windows: C:\bea\wlserver6.1\Config\mydomain UNIX: /bea/wlserver6.1/config/mydomain Name of the host system for the Policy Director WebSEAL server. Generally of the form webseald-hostname. Name of the Policy Director Custom Realm that will be added to WebLogic Server. This name can be anything you choose. Tivoli Policy Director for WebLogic Server User Guide 17

30 Configuring a Custom Realm Variable <PDCachingRealm> <AZN conf file path> <configured user> <configured user password> <WebLogic server> <WebLogic Server listen port> <pdadmin context user> <pdadmin context user password> Description Name of the Policy Director Caching Realm that will be added to WebLogic Server. This name can be anything you choose. The fully qualified path of the Policy Director authorization configuration file pdwlsrealm.conf, that is generated when using svrsslcfg to configure a Policy Director Authorization API application. The special Policy Director user that is used in order to form a trust relationship between WebSEAL and WebLogic Server. The name of this user can be any valid Policy Director user name. The password of the <configured user>. The hostname of the WebLogic Server system. The port that WebLogic Server is listening on. Name of the user that will be used to create a pdadmin context. This user must be in the iv-admin user group or be delegated enough permission to be able to create, delete, modify, and list users and groups. You can do this by giving the user the following permissions on an access control list (ACL) attached to the /Management object: TcmdbsvatNWA The name of the default ACL attached to the /Management object is default-management. Password for the <pdadmin context user>. Complete the following steps on the system that hosts the WebLogic Server: 1. Extract the contents of PDWLS_Realm.jar to <PD work directory> This creates a sub-directory called image with the following files in it: 18 Version 3.8

31 Configuring a Custom Realm pdlib.dll pdauthzn.jar libpdlib.a libaznjni.a pdadmin.jar aznjni.dll PDRealm.jar 2. Copy the appropriate shared libraries for your operating system (*.dll on Windows and *.a in AIX) from the above list into a directory that is in the system path. For example: Windows: C:\Program Files\Tivoli\Policy Director\bin AIX: /usr/lib 3. Ensure that pdadmin.jar, pdauthzn.jar and PDRealm.jar are included in the CLASSPATH variable of the startweblogic batch file (on Windows systems) or shell script (on UNIX systems) located in <BEA domain directory>. 4. Stop the WebLogic server. 5. Create the WebSEAL <configured user> using the Policy Director Web Portal Manager or the Policy Director utility pdadmin. For example, if <configured user> is websealsso and <configured user password> is pdwebwlssso, enter the following pdadmin commands: pdadmin> user create websealsso cn=websealsso, o=ibm,c=au websealsso websealsso pdwebwlssso pdadmin> user modify websealsso account-valid yes 2. Installing Policy Director for WebLogic Server For optimum security, protect the password for the configured user. Change the password at regular intervals. Use the Policy Director random password generator to create the password: UNIX: /opt/policydirector/sbin/genpass 6. Create the <pdadmin context user> that the Custom Realm uses with the Policy Director administration API. This user must either be added to the iv-admin group or be delegated sufficient permission such that it can add, delete, modify, and list users and groups. For example, the following command creates a user: Tivoli Policy Director for WebLogic Server User Guide 19

32 Configuring a Custom Realm pdadmin> user create <pdadmin context user> cn=<pdadmin context user>,o=ibm,c=au <pdadmin context user> <pdadmin context user> <pdadmin context user password> iv-admin Next, activate the new user account. For example: pdadmin> user modify < pdadmin context user > account-valid yes 7. Start the WebLogic server. 8. Launch the WebLogic Server console in a browser. Access the following URL: listening port>/console 9. Click Security -> Realms -> Configure a new Custom Realm. Name: <PDRealm> Realm Class Name: com.tivoli.wlsrealm.pdrealm Supply the configuration data described in the following table: Realm Property Valid Values Description webseal.sso.configured true or false Defines whether WebSEAL will be configured and whether to attempt to perform single sign-on. pdadmin.user.name <pdadmin context user> Name of the user that will be used to create a pdadmin context. This user must be in the iv-admin user group or be delegated sufficient permission such that they can add, delete, modify, and list users and groups. pdadmin.password <pdadmin context user password> Password of the above user. 20 Version 3.8

33 Configuring a Custom Realm Realm Property Valid Values Description pdrealm.registry.listing true or false Defines whether the Policy Director Custom Realm should list users and groups, including group memberships, to the WebLogic Server console window. This should be set to false in production environments. Set it to true only in a test environment. connection.pool 1 - n Where n is an integer defining the number of Realm objects to instantiate in the Realm pool. pdrealm.tracing true or false Turn Policy Director Realm tracing on or off. Trace will be sent to the WebLogic Server log. wls.admin.user <configured user> The special user that is configured in the Policy Director Custom Realm configuration data in order to form a trust relationship between WebSEAL and WebLogic Server. group.dn A valid Distinguished Name (DN) LDAP naming context where groups are defined. For example, c=gb. user.dn A valid DN LDAP naming context where users are defined. For example, c=gb. aznapi.conf.file <AZN conf file path> The fully qualified pathname of the Authorization API configuration file, pdwlsrealm.conf, generated by svrsslcfg. 2. Installing Policy Director for WebLogic Server 10. Configure a new Caching Realm: Tivoli Policy Director for WebLogic Server User Guide 21

34 Configuring a Custom Realm Name: <PDCachingRealm> Basic Realm: <PDRealm> Case Sensitive: Yes Use defaults for the caching settings. 11. Go to Security -> FileRealm and set it to <PDCachingRealm>. Leave all other fields unchanged. 12. Restart WebLogic Server. Security settings will now take effect. 13. Continue to the next section: Configuring a WebSEAL Junction for the WebLogic Server. Configuring a WebSEAL Junction for the WebLogic Server Complete the following steps on the system that hosts the Policy Director WebSEAL server: 1. Update the following configuration item in the WebSEAL configuration file, webseald.conf: basicauth-dummy-passwd = <configured user password> 2. Stop and restart WebSEAL, to make the configuration change take effect. 3. Use the pdadmin command to create a WebSEAL junction. Be sure to use the -b option to supply the junction target URL. This is required for single sign-on. For example: pdadmin> server task <webseald_server_name> create -t tcp -p <WebLogic Server listen port> -h <WebLogic server> -b supply <junction target> 22 Version 3.8

35 Configuring a WebSEAL Junction for the WebLogic Server The above command uses the following variables: Variable <webseald_server_name> <WebLogic server> <WebLogic server listen port> <junction target> Description Name of the Policy Director WebSEAL server. Generally of the form webseald-hostname. The hostname of the WebLogic Server. The port on which the WebLogic Server is listening. The URL target of the junction. For complete information on creating and using Policy Director WebSEAL junctions, see the Tivoli SecureWay Policy Director WebSEAL Administration Guide. Testing the Configuration Verify that the Policy Director Custom Realm has been correctly configured by completing the following steps: 1. Use the WebLogic Server console to create a new test user. 2. Execute the following pdadmin command: pdadmin> user show <test user> Verify that account-valid is yes. Verify that password-valid is yes. The Policy Director Custom Realm single sign-on solution allows a single authentication step through WebSEAL that transparently authenticates the user to the WebLogic Server. You can confirm that this is configured correctly by running the demonstration application. The demonstration application is described in the next chapter. 2. Installing Policy Director for WebLogic Server Tivoli Policy Director for WebLogic Server User Guide 23

36 Testing the Configuration 24 Version 3.8

37 3 Using Policy Director for WebLogic Server This chapter contains the following topics: Using the Demonstration Application Creating Test Users on page 27 Usage Tips on page 27 Troubleshooting Tips on page 28 Limitations on page 28 Using the Demonstration Application You can use the demonstration application to see an example of two types of authorization, and to exercise the WebSEAL single sign-on capability. The two types of authorization are: Declarative In this case, the Deployment Descriptor ensures that only users in the BankMembers group can successfully access the PDDemo demonstration Servlet. 3. Using Policy Director for WebLogic Server Programmatic Tivoli Policy Director for WebLogic Server User Guide 25

38 Using the Demonstration Application Using programmatic security, the Enterprise Java Bean ensures that only the owner of each account has the permission to view their own account balance. For example, user Mark cannot view user Luke s balance. To run the demonstration application, complete the following steps: 1. Copy the demonstration application PDDemoApp.ear into <BEA domain directory>\applications. Note that use of this directory is not required. You can place the EAR file into any directory on your file system. 2. Use the WebLogic Server console to install the demonstration application. 3. Use the WebLogic Server console to create the following users: Matthew Mark Luke John 4. Use the WebLogic Server console to create a BankMembers group. 5. Add all of the users created above to this group. 6. To access the demonstration application, access the following URL: server>:<wls listening port>/pddemo/pddemo Authenticate with one of the users defined above. 7. Verify that only users defined in the BankMembers group can access the Servlet. 8. Verify that the authenticated user can view their own balance, but not the balance of any other user. To test the WebSEAL Single Sign On, complete the following steps: 1. Access the following URL: server name>/<junction target>/pddemo/pddemo WebSEAL will prompt you to authenticate. 26 Version 3.8

39 Note: Use HTTPS here because the default WebSEAL behavior is to prevent Basic or Forms-based authentication over HTTP. 2. Authenticate as one of the users defined above. This process will single sign the user on to the WebLogic Server and the Servlet will be invoked without requiring a second authentication. When accessed through WebSEAL, the PDDemo demonstration application will show identical behavior to that shown when accessing the WebLogic Server directly. 3. Verify that the authenticated user can view their own balance, but not the balance of any other user. Creating Test Users Using the Demonstration Application For convenience, if many test users are required, a script named users.sh is provided. This tool can be used to create and/or delete multiple test users, by creating appropriate pdadmin scripts: Run users.sh to generates two text files that pdadmin can use to add and remove a set of users to or from the user registry. Usage Tips To use the users.sh script, edit the script and define the variables appropriate for your environment. Two files are generated: add_users.txt and remove_users.txt. Use these files as input to pdadmin scripts as follows: pdadmin -a sec_master -p <password> <add_users.txt pdadmin -a sec_master -p <password> <remove_users.txt 1. Observe good security practices when enabling single sign-on for external users. Ensure that authentication is performed only by the WebSEAL server. To achieve this, disable access to the WebLogic Server by internal users that do not go through the WebSEAL server. 3. Using Policy Director for WebLogic Server Tivoli Policy Director for WebLogic Server User Guide 27

40 Usage Tips 2. Policy Director Custom Realm listing should be set to false in production environments. Set this to true only when testing to verify that a realm is operational. 3. To use the WebLogic Server System and Guest users through WebSEAL, you must to create a dummy guest in Policy Director, and set the real Guest and System password to match the configured user s password. Note, however, this means that if you want to allow the guest user to log in without going through WebSEAL (such as an access an intranet), you will need to expose the configured user password. Troubleshooting Tips Limitations When a user has authenticated through forms-based login, and attempts to access a resource for which they do not have permission, the following error message may appear: Could not Sign On message from WebSEAL This can occur because even though the user could actually be authenticated, they don t have permission to access the Servlet in the web container. If this error occurs when using Basic Authentication, the user will be re-prompted for the authentication details, instead of seeing the page described above. This is default WebLogic Server behavior and would be seen if the user accesses the page either directly or through WebSEAL. 1. Policy Director for WebLogic Server does not support recursive group membership (groups within groups). 2. Centralized control of user access to WebLogic s J2EE resources is limited to moving users between groups that have been assigned to roles in application deployment descriptors. 3. Single sign-on to WebLogic Server using forms-based authentication is not supported. 28 Version 3.8

41 Limitations 4. WebLogic Server role membership checks require the Policy Director management server to be running. 5. Policy Director for WebLogic Server Does not implement the java.security.acl interface. Note that Policy Director ACLs do not correspond to WebLogic Server ACLs. 3. Using Policy Director for WebLogic Server Tivoli Policy Director for WebLogic Server User Guide 29

42 Limitations 30 Version 3.8

43

44 SC Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber.