IBM Tivoli Access Manager forweblogicserver. User s Guide. Version 3.9 GC

Similar documents
IBM Tivoli Access Manager WebSEAL for Linux on zseries. Installation Guide. Version 3.9 GC

IBM Tivoli Access Manager Plug-in for Edge Server. User s Guide. Version 3.9 GC

WebSEAL Installation Guide

IBM Tivoli Access Manager for Linux on zseries. Installation Guide. Version 3.9 GC

IBM Tivoli Access Manager for WebSphere Application Server. User s Guide. Version 4.1 SC

BEA WebLogic Server Integration Guide

Web Security Developer Reference

Tivoli SecureWay Policy Director WebSEAL. Installation Guide. Version 3.8

IBM Security Access Manager for Web Version 7.0. Installation Guide GC

Road Map for the Typical Installation Option of IBM Tivoli Monitoring Products, Version 5.1.0

License Administrator s Guide

Authorization C API Developer Reference

Tivoli Policy Director for WebLogic Server

Administration Java Classes Developer Reference

Tivoli Tivoli Intelligent ThinkDynamic Orchestrator

IBM Tivoli Monitoring for Business Integration. User s Guide. Version SC

Tivoli Tivoli Provisioning Manager

IBM Security Access Manager for Web Version 7.0. Upgrade Guide SC

Troubleshooting Guide

WebSEAL Developer s Reference

IBM Tivoli Access Manager. WebSEAL 4.1 SA

Tivoli Tivoli Intelligent ThinkDynamic Orchestrator

Installation and Setup Guide

Tivoli Tivoli Provisioning Manager

Monitor Developer s Guide

IBM Tivoli Privacy Manager for e-business. Installation Guide. Version 1.1 SC

Installing and Configuring Tivoli Enterprise Data Warehouse

IBM Tivoli Configuration Manager for Automated Teller Machines. Release Notes. Version 2.1 SC

Internet Information Server User s Guide

xseries Systems Management IBM Diagnostic Data Capture 1.0 Installation and User s Guide

Deployment Overview Guide

iplanetwebserveruser sguide

Installation and Configuration Guide

Installation and Setup Guide

IBM Operational Decision Manager Version 8 Release 5. Installation Guide

Tivoli IBM Tivoli Advanced Catalog Management for z/os

IBM i Version 7.2. Connecting to IBM i IBM i Access for Web IBM

Managing Server Installation and Customization Guide

IBM Tivoli Storage Manager for Windows Version Tivoli Monitoring for Tivoli Storage Manager

IBM Tivoli Monitoring for Messaging and Collaboration: Lotus Domino. User s Guide. Version SC

Web Services Security Management Guide

Installation and Configuration Guide

WebSphere MQ Configuration Agent User's Guide

IBM. Connecting to IBM i IBM i Access for Web. IBM i 7.1

IBM Director Virtual Machine Manager 1.0 Installation and User s Guide

Performance Tuning Guide

IBM Security Access Manager for Web Version 7.0. Command Reference SC

IBM Tivoli Federated Identity Manager Version Installation Guide GC

Tivoli SecureWay Policy Director Authorization ADK. Developer Reference. Version 3.8

Tivoli System Automation Application Manager

IBM Tivoli Enterprise Console. User s Guide. Version 3.9 SC

Tivoli Security Compliance Manager

WebSphere Message Broker Monitoring Agent User's Guide

Performance Tuning Guide

Extended Search Administration

IBM Agent Builder Version User's Guide IBM SC

IBM Security Identity Manager Version 6.0. Installation Guide GC

Troubleshooting Guide

IBM Tivoli Monitoring: AIX Premium Agent Version User's Guide SA

Tivoli Identity Manager

IBM i Version 7.2. Security Service Tools IBM

IBM Tivoli Netcool Performance Manager Wireline Component October 2015 Document Revision R2E1. Pack Upgrade Guide IBM

IBM. Installing, configuring, using, and troubleshooting. IBM Operations Analytics for z Systems. Version 3 Release 1

Registration Authority Desktop Guide

IBM Tivoli Storage Manager for Windows Version 7.1. Installation Guide

User s Guide for Software Distribution

Installing and Configuring IBM Case Manager with FileNet P8 Platform on a Single Server

IBM Tivoli Monitoring for Web Infrastructure: WebSphere Application Server. User s Guide. Version SC

Tivoli Identity Manager. End User Guide. Version SC

User s Guide for PeopleSoft Access Method

Tivoli IBM Tivoli Advanced Catalog Management for z/os

Tivoli IBM Tivoli Advanced Audit for DFSMShsm

Planning, Installing, and Configuring Host On-Demand

IBM. Installing and configuring. Version 6.4

Upward Integration Modules Installation Guide

Exchange 2000 Agent Installation Guide

Version 8.2 (Revised December 2004) Plus Module User s Guide SC

IBM Security Role and Policy Modeler Version 1 Release 1. Glossary SC

WebSphere MQ. Clients GC

Tivoli SecureWay Policy Director Management Console for Windows Administration Guide Version 3.7

Product Overview Guide

Tivoli Management Solution for Domino. Installation and Setup Guide. Version GC

IBM Security Identity Manager Version Installation Topics IBM

IBM Tivoli Directory Server. System Requirements SC

Tivoli Tivoli Provisioning Manager

Planning and Installation

Tivoli Tivoli Intelligent ThinkDynamic Orchestrator

Tivoli Business Systems Manager

IBM Tivoli Service Level Advisor. Getting Started. Version 2.1 SC

Tivoli Access Manager for e-business

Tivoli SecureWay Policy Director Authorization ADK Developer Reference Version 3.7

IBM. Installing. IBM Emptoris Suite. Version

IBM Tivoli Storage Manager for Windows Version Installation Guide

Tivoli Tivoli Provisioning Manager

IBM Tivoli Storage Manager for Virtual Environments Version Data Protection for VMware Installation Guide IBM

IBM Cognos Dynamic Query Analyzer Version Installation and Configuration Guide IBM

IBM Tivoli Access Manager for Operating Systems. Administration Guide. Version 5.1 SC

Netcool Configuration Manager Version Installation and Configuration Guide R2E6 IBM

Tivoli Business Systems Manager

IBM Tivoli Workload Scheduler for Applications Version 8.2 Release Notes

Transcription:

IBM Tioli Access Manager forweblogicserer User s Guide Version 3.9 GC32-0851-00

IBM Tioli Access Manager forweblogicserer User s Guide Version 3.9 GC32-0851-00

Note Before using this information and the product it supports, read the information in Appendix B, Notices on page 35. Second Edition (April 2002) This edition replaces SC32-0831-00 Copyright International Business Machines Corporation 2002. All rights resered. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents Preface.................................... Who should read this guide.............................. What this guide contains............................... Publications................................... i IBM Tioli Access Manager............................. i Related publications............................... iii Accessing publications online............................. x Ordering publications............................... x Proiding feedback about publications.......................... x Accessibility................................... x Contacting customer support............................. xi Conentions used in this book............................. xi Typeface conentions............................... xi Chapter 1. Introducing IBM Tioli Access Manager for WebLogic Serer........ 1 Introducing Access Manager.............................. 1 Integrating Access Manager and WebLogic Serer....................... 2 Using Access Manager authentication.......................... 3 Using Access Manager authorization.......................... 4 Chapter 2. Installing IBM Tioli Access Manager for WebLogic Serer......... 5 Supported platforms................................. 5 Disk and memory requirements............................. 5 Installation packages................................. 6 Software prerequisites................................ 6 Prerequisites on Access Manager policy serer and authorization serer.............. 6 Prerequisites on Access Manager WebSEAL........................ 6 Prerequisites on WebLogic Serer........................... 7 Prerequisites on Access Manager runtime enironment and Jaa runtime.............. 7 Optional use of Access Manager ADK.......................... 7 Installing Access Manager for WebLogic.......................... 8 Installing Access Manager for WebLogic on Solaris..................... 8 Installing Access Manager for WebLogic on AIX...................... 8 Installing Access Manager for WebLogic on HP-UX..................... 9 Installing Access Manager for WebLogic on Linux..................... 10 Installing Access Manager for WebLogic on Windows.................... 11 Configuring Access Manager for WebLogic......................... 11 Configuring a Custom Realm............................. 15 Configuring a WebSEAL junction for the WebLogic Serer.................... 19 Testing the configuration............................... 19 Chapter 3. Using IBM Tioli Access Manager for WebLogic Serer.......... 21 Using the demonstration application........................... 22 Creating test users................................. 22 Usage tips.................................... 22 Troubleshooting tips................................ 23 Limitations................................... 23 Chapter 4. Remoing IBM Tioli Access Manager for WebLogic Serer........ 25 Remoing Access Manager for WebLogic on Solaris...................... 25 Remoing Access Manager for WebLogic on Windows..................... 25 Remoing Access Manager for WebLogic on AIX....................... 26 Remoing Access Manager for WebLogic on HP-UX...................... 26 Remoing Access Manager for WebLogic on Linux...................... 27 Copyright IBM Corp. 2002 iii

Appendix A. srsslcfg reference......................... 29 srsslcfg.................................... 30 Appendix B. Notices.............................. 35 Trademarks................................... 37 i IBM Tioli Access Manager for WebLogic Serer: User s Guide

Preface Who should read this guide What this guide contains Welcome to IBM Tioli Access Manager for WebLogic Serer (Access Manager for WebLogic). This product extends IBM Tioli Access Manager to support applications written for BEA WebLogic Serer. Note: IBM Tioli Access Manager is the new name of the preiously released software entitled Tioli SecureWay Policy Director. Also, for users familiar with the Tioli SecureWay Policy Director software and documentation, the term management serer is now referred to as policy serer. The IBM Tioli Access Manager for WebLogic Serer User s Guide proides installation, configuration, and administration instructions for using Access Manager with WebLogic Serer. The target audience for this administration guide includes: Security administrators Network system administrators IT architects Readers should be familiar with: Internet protocols, including HTTP, TCP/IP, file transfer protocol (FTP), and telnet Deployment and management of WebLogic Serer systems Security management, including authentication and authorization If you are enabling Secure Sockets Layer (SSL) communication, you also should be familiar with SSL protocol, key exchange (public and priate), digital signatures, cryptographic algorithms, and certificate authorities. This document contains the following chapters: Chapter 1, Introducing IBM Tioli Access Manager for WebLogic Serer Presents an oeriew of the authentication and authorization serices proided by Access Manager for WebLogic. Chapter 2, Installing IBM Tioli Access Manager for WebLogic Serer Describes how to install and configure Access Manager for WebLogic. Chapter 3, Using IBM Tioli Access Manager for WebLogic Serer Describes how to use the demonstration application, and proides usage tips, troubleshooting information, and limitations. Chapter 4, Remoing IBM Tioli Access Manager for WebLogic Serer Describes how to remoe Access Manager for WebLogic. Copyright IBM Corp. 2002

Publications This section lists publications in the Access Manager library and any other related documents. It also describes how to access Tioli publications online, how to order Tioli publications, and how to make comments on Tioli publications. IBM Tioli Access Manager The Access Manager library is organized into the following categories: Release information Base information WebSEAL information Web security information Deeloper reference information Supplemental technical information For additional sources of information about Access Manager and related topics, see the following Web sites: http://www.ibm.com/redbooks https://www.tioli.com/secure/support/documents/fieldguides Release information IBM Tioli Access Manager for e-business Read Me First GI11-0918 (am39_readme.pdf) Proides information for installing and getting started using Access Manager. IBM Tioli Access Manager for e-business Release Notes GI11-0919 (am39_relnotes.pdf) Proides late-breaking information, such as software limitations, workarounds, and documentation updates. Base information IBM Tioli Access Manager Base Installation Guide GC32-0844 (am39_install.pdf) Explains how to install, configure, and upgrade Access Manager software, including the Web portal manager interface. IBM Tioli Access Manager Base Administrator s Guide GC23-4684 (am39_admin.pdf) Describes the concepts and procedures for using Access Manager serices. Proides instructions for performing tasks from the Web portal manager interface and by using the pdadmin command. IBM Tioli Access Manager Base for Linux on zseries Installation Guide GC23-4796 (am39_zinstall.pdf) Explains how to install and configure Access Manager Base for Linux on the zseries platform. WebSEAL information IBM Tioli Access Manager WebSEAL Installation Guide GC32-0848 (amweb39_install.pdf) Proides installation, configuration, and remoal instructions for the WebSEAL serer and the WebSEAL application deelopment kit. i IBM Tioli Access Manager for WebLogic Serer: User s Guide

IBM Tioli Access Manager WebSEAL Administrator s Guide GC23-4682 (amweb39_admin.pdf) Proides background material, administratie procedures, and technical reference information for using WebSEAL to manage the resources of your secure Web domain. IBM Tioli Access Manager WebSEAL Deeloper s Reference GC23-4683 (amweb39_deref.pdf) Proides administration and programming information for the Cross-domain Authentication Serice (CDAS), the Cross-domain Mapping Framework (CDMF), and the Password Strength Module. IBM Tioli Access Manager WebSEAL for Linux on zseries Installation Guide GC23-4797 (amweb39_zinstall.pdf) Proides installation, configuration, and remoal instructions for WebSEAL serer and the WebSEAL application deelopment kit for Linux on the zseries platform. Web security information IBM Tioli Access Manager for WebSphere Application Serer User s Guide GC32-0850 (amwas39_user.pdf) Proides installation, remoal, and administration instructions for Access Manager for IBM WebSphere Application Serer. IBM Tioli Access Manager for WebLogic Serer User s Guide GC32-0851 (amwls39_user.pdf) Proides installation, remoal, and administration instructions for Access Manager for BEA WebLogic Serer. IBM Tioli Access Manager Plug-in for Edge Serer User s Guide GC23-4685 (amedge39_user.pdf) Describes how to install, configure, and administer the plug-in for IBM WebSphere Edge Serer. IBM Tioli Access Manager Plug-in for Web Serers User s Guide GC23-4686 (amws39_user.pdf) Proides installation instructions, administration procedures, and technical reference information for securing your Web domain using the plug-in for Web serers application. Deeloper references IBM Tioli Access Manager Authorization C API Deeloper s Reference GC32-0849 (am39_authc_deref.pdf) Proides reference material that describes how to use the Access Manager authorization C API and the Access Manager serice plug-in interface to add Access Manager security to applications. IBM Tioli Access Manager Authorization Jaa Classes Deeloper s Reference GC23-4688 (am39_authj_deref.pdf) Proides reference information for using the Jaa language implementation of the authorization API to enable an application to use Access Manager security. IBM Tioli Access Manager Administration C API Deeloper s Reference GC32-0843 (am39_adminc_deref.pdf) Preface ii

Proides reference information about using the administration API to enable an application to perform Access Manager administration tasks. This document describes the C implementation of the administration API. IBM Tioli Access Manager Administration Jaa Classes Deeloper s Reference SC32-0842 (am39_adminj_deref.pdf) Proides reference information for using the Jaa language implementation of the administration API to enable an application to perform Access Manager administration tasks. IBM Tioli Access Manager WebSEAL Deeloper s Reference GC23-4683 (amweb39_deref.pdf) Proides administration and programming information for the Cross-domain Authentication Serice (CDAS), the Cross-domain Mapping Framework (CDMF), and the Password Strength Module. Technical supplements IBM Tioli Access Manager Performance Tuning Guide GC43-0846 (am39_perftune.pdf) Proides performance tuning information for an enironment consisting of Access Manager with IBM SecureWay Directory defined as the user registry. IBM Tioli Access Manager Capacity Planning Guide GC32-0847 (am39_capplan.pdf) Assists planners in determining the number of WebSEAL, LDAP, and backend Web serers needed to achiee a required workload. IBM Tioli Access Manager Error Message Reference SC32-0845 (am39_error_ref.pdf) Proides explanations and recommended actions for the messages produced by Access Manager. The Tioli Glossary includes definitions for many of the technical terms related to Tioli software. The Tioli Glossary is aailable, in English only, at the following Web site: http://www.tioli.com/support/documents/glossary/termsm03.htm Related publications This section lists publications related to the Access Manager library. IBM DB2 Uniersal Database IBM DB2 Uniersal Database is required when installing IBM SecureWay Directory, z/os, and OS/390 SecureWay LDAP serers. DB2 information is aailable at the following Web site: http://www.ibm.com/software/data/db2/ IBM SecureWay Directory IBM SecureWay Directory, Version 3.2.2, is shipped on the IBM Tioli Access Manager Base CD for your particular platform. If you plan to install the IBM SecureWay Directory serer as your user registry, the following documents are aailable in the /doc/directory path on the IBM Tioli Access Manager Base CD for your particular platform: IBM SecureWay Directory Installation and Configuration Guide SC32-0845 (aparent.pdf, lparent.pdf, sparent.pdf, wparent.pdf) iii IBM Tioli Access Manager for WebLogic Serer: User s Guide

Proides installation, configuration, and migration information for IBM SecureWay Directory components on AIX, Linux, Solaris, and Microsoft Windows operating systems. IBM SecureWay Directory Release Notes (relnote.pdf) Supplements IBM SecureWay Directory, Version 3.2.2, product documentation and describes features and functions made aailable to you in this release. IBM SecureWay Directory Readme Addendum (addendum322.pdf) Proides information about changes and fixes that occurred after the IBM SecureWay Directory documentation had been translated. This file is in English only. IBM SecureWay Directory Serer Readme (serer.pdf) Proides a description of the IBM SecureWay Directory Serer, Version 3.2.2. IBM SecureWay Directory Client Readme (client.pdf) Proides a description of the IBM SecureWay Directory Client SDK, Version 3.2.2. This software deelopment kit (SDK) proides LDAP application deelopment support. SSL Introduction and ikeyman User s Guide (gskikm5c.pdf) Proides information for network or system security administrators who plan to enable SSL communication in their Access Manager secure domain. IBM SecureWay Directory Configuration Schema (scparent.pdf) Describes the directory information tree (DIT) and the attributes that are used to configure the slapd32.conf file. In IBM SecureWay Directory Version 3.2, the directory settings are stored using the LDAP Directory Interchange Format (LDIF) format in the slapd32.conf file. IBM SecureWay Directory Tuning Guide (tuning.pdf) Proides performance tuning information for IBM SecureWay Directory. Tuning considerations for directory sizes ranging from a few thousand entries to millions of entries are gien where applicable. For more information about IBM SecureWay Directory, see the following Web site: http://www.software.ibm.com/network/directory/library/ IBM WebSphere Application Serer IBM WebSphere Application Serer Standard Edition, Version 4.0.2, is installed with the Web portal manager interface. For information about IBM WebSphere Application Serer, see the following Web site: http://www.ibm.com/software/webserers/appser/infocenter.html Preface ix

Accessibility Accessing publications online Publications in the product libraries are included in Portable Document Format (PDF) on the product CD. To access these publications using a Web browser, open the infocenter.html file, which is located in the /doc directory on the product CD. When IBM publishes an updated ersion of one or more online or hardcopy publications, they are posted to the Tioli Information Center. The Tioli Information Center contains the most recent ersion of the publications in the product library in PDF or HTML format, or both. Translated documents are also aailable for some products. You can access the Tioli Information Center and other sources of technical information from the following Web site: http://www.tioli.com/support/documents/ Information is organized by product, including release notes, installation guides, user s guides, administrator s guides, and deeloper s references. Note: If you print PDF documents on other than letter-sized paper, select the Fit to page check box in the Adobe Acrobat Print dialog (which is aailable when you click File Print) to ensure that the full dimensions of a letter-sized page are printed on the paper that you are using. Ordering publications You can order many Tioli publications online at the following Web site: http://www.elink.ibmlink.ibm.com/public/applications/ publications/cgibin/pbi.cgi You can also order by telephone by calling one of these numbers: In the United States: 800-879-2755 In Canada: 800-426-4968 In other countries, for a list of telephone numbers, see the following Web site: http://www.tioli.com/inside/store/lit_order.html Proiding feedback about publications We are ery interested in hearing about your experience with Tioli products and documentation, and we welcome your suggestions for improements. If you hae comments or suggestions about our products and documentation, contact us in one of the following ways: Send an e-mail to pubs@tioli.com. Complete our customer feedback surey at the following Web site: http://www.tioli.com/support/surey/ Accessibility features help a user who has a physical disability, such as restricted mobility or limited ision, to use software products successfully. With this product, you can use assistie technologies to hear and naigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. x IBM Tioli Access Manager for WebLogic Serer: User s Guide

Contacting customer support If you hae a problem with any Tioli product, you can contact Tioli Customer Support. See the Tioli Customer Support Handbook at the following Web site: http://www.tioli.com/support/handbook/ The handbook proides information about how to contact Tioli Customer Support, depending on the seerity of your problem, and the following information: Registration and eligibility Conentions used in this book Telephone numbers and e-mail addresses, depending on the country in which you are located What information to gather before contacting support This guide uses seeral conentions for special terms and actions, operating system-dependent commands and paths, and margin graphics. Typeface conentions The following typeface conentions are used in this book: Bold Italic Monospace Command names and options, keywords, and other information that you must use literally appear in bold. Variables, command options, and alues you must proide appear in italics. Titles of publications and special words or phrases that are emphasized also appear in italics. Code examples, command lines, screen output, file and directory names, and system messages appear in monospace font. Preface xi

xii IBM Tioli Access Manager for WebLogic Serer: User s Guide

Chapter 1. Introducing IBM Tioli Access Manager for WebLogic Serer Introducing Access Manager IBM Tioli Access Manager for WebLogic Serer (Access Manager for WebLogic) is an extension to IBM Tioli Access Manager (Access Manager) that implements an Access Manager Custom Realm for BEA WebLogic Serer 6.1. The Custom Realm proides a user registry that is administered by Access Manager. Access Manager uses group memberships in the user registry to affect authorization decisions made by WebLogic Serer. The Custom Realm can also be used with IBM Tioli Access Manager WebSEAL (WebSEAL) to support end-user single sign-on. Access Manager for WebLogic enables WebLogic Serer applications to use Access Manager security without requiring any coding or deployment changes. Access Manager for WebLogic implements a Custom Realm using the security serices proided by an Access Manager secure domain. The Access Manager secure domain must be deployed prior to installation of Access Manager for WebLogic. Users who are new to Access Manager should reiew the Access Manager security model before deploying an Access Manager secure domain. A brief summary of the Access Manager security model is presented here. Access Manager is a complete authorization and network security policy management solution that proides end-to-end protection of resources oer geographically dispersed intranets and extranets. Access Manager features state-of-the-art security policy management. In addition, Access Manager supports authentication, authorization, data security, and resource management capabilities. You use Access Manager in conjunction with standard Internet-based applications to build highly secure and well-managed intranets and extranets. At its core, Access Manager proides: An authentication framework Access Manager supports a wide range of authentication mechanisms. An authorization framework Access Manager proides a framework for authorization policy management. Authorization policy is managed centrally and distributed automatically to access enforcement points across the enterprise, including the Access Manager serers. The Access Manager authorization serice proides permit and deny decisions on access requests for natie Access Manager serers and third-party applications. WebSEAL is the Access Manager resource security manager for Web-based resources. WebSEAL is a high performance, multi-threaded Web serer that applies fine-grained security to protected web resources. WebSEAL can proide single sign-on solutions and incorporate back-end Web application serer resources into its security policy. Copyright IBM Corp. 2002 1

You can learn more about Access Manager, including information necessary to make deployment decisions, by reiewing the documentation distributed with IBM Tioli Access Manager Version 3.9. Start with the following guides: IBM Tioli Access Manager Base Installation Guide, GC32-0735 This guide describes how to plan, install, and configure an Access Manager secure domain. A series of easy installation scripts enable you to quickly deploy a fully functional secure domain. These scripts are ery useful when prototyping a secure domain that meets your security policy requirements. IBM Tioli Access Manager Base Administration Guide, GC32-0680 This document presents an oeriew of the Access Manager security model for managing protected resources. This guide also describes how to configure the Access Manager serers that make access control decisions. In addition, detailed instructions describe how to perform important tasks such as declaring security policies, defining protected object namespaces, and administering user and group profiles. IBM Tioli Access Manager WebSEAL Administration Guide, GC32-0684 This guide proides a comprehensie set of procedures and reference information for managing resources in a secure Web domain. The guide also presents oeriew and concept material that describes the wide range of WebSEAL functionality. IBM Tioli Access Manager Authorization C API Deeloper Reference, GC32-0813 This guide describes how to use the Access Manager authorization API to add security to third party applications. This document includes a description of the srsslcfg utility. This utility is used during the configuration of Access Manager for WebLogic. The Access Manager documentation is included on the IBM Tioli Access Manager Version 3.9 CD-ROMs, and is also aailable from the Tioli Customer Support web site. See Accessing publications online on page x. Integrating Access Manager and WebLogic Serer The integration of Access Manager with WebLogic Serer 6.1 enables WebLogic applications to take adantage of the following Access Manager features: Centralized access control of WebLogic resources in the following way: Changing a user s group memberships alters their access priileges to WebLogic s Jaa 2 Enterprise Edition (J2EE) resources in accordance with the group-to-role mappings contained in the deployment descriptors for each WebLogic Serer application. WebSEAL controls access to Uniform Resource Locators (URLs) that correspond to objects in the Access Manager policy database. These can be static URL strings or can be represented by pattern matching. Integrated authorization is achieed by WebLogic Serer s use of the Access Manager for WebLogic Custom Realm to determine which users belong to the groups that are mapped to the J2EE application s security roles. This means that an Access Manager administrator can affect the authorization decisions of WebLogic Serer through group membership within the Access Manager registry. Centralized user registry used by the Access Manager policy serer and WebLogic Serer. The Access Manager Version 3.9 product distribution includes IBM SecureWay Directory 3.2.2. The Access Manager for WebLogic Custom 2 IBM Tioli Access Manager for WebLogic Serer: User s Guide

Realm allows this registry, as well as other third-party registries that are supported by Access Manager Version 3.9, to be used as the WebLogic registry. Single sign-on through the use of WebSEAL. Single Sign-on is achieed by combining the one-time user authentication of WebSEAL with the alidation of user identity by the Access Manager for WebLogic Custom Realm. This allows many authentication mechanisms, including certificates, to be used without any impact to the target application. The WebLogic serer s trust of WebSEAL is achieed through a combination of a WebSEAL junction and the use of the Access Manager for WebLogic Custom Realm. A junction is a network connection between a WebSEAL serer and an application serer, such that: 1. There is trust between WebSEAL and the application serer. 2. WebSEAL protects both its own resources and the resources on the junctioned application serer. Using Access Manager authentication Figure 1 displays the model for the processing of requests for access to protected resources. Requests can come from either external users or internal users. WebLogic Serer 6.1 Internal Browser 1B J2EE Application Deployment Descriptors External Browser 1A Access Manager WebSEAL 2 3 WebLogic User Authentication A WebLogic Access Managers 4 B Access Manager Policy Serer Policy Database User Registry 5 Access Manager Custom Realm for WebLogic Serer Figure 1. Access Manager proides single sign-on authentication and a Custom Realm for authorization decisions Authenticating external users 1. An external user requests access to a protected resource. The request is receied by WebSEAL before entering the secure network of the enterprise. (See Figure 1, arrow 1A) 2. WebSEAL authenticates the user in the Access Manager secure domain. (See Figure 1, arrow 2) WebSEAL supports the following authentication methods: username/password, certificates, username and RSA SecureID, or a custom authentication mechanism. Chapter 1. Introducing IBM Tioli Access Manager for WebLogic Serer 3

Once authenticated, WebSEAL applies its own authorization decision based on the requested URL and the Access Manager access policy. WebSEAL can apply considerations such as account alidity, time-of-day, and authentication mechanism. 3. Once authorized, WebSEAL forwards the request to the WebLogic serer. The request includes the external username and a special password within the basic authentication header. The special password belongs to the configured_user, and allows the Access Manager for WebLogic Custom Realm to confirm WebSEAL as the origin of the request. (See Figure 1, arrow 3) For more information about the configured_user, see Configuring a Custom Realm on page 12. 4. The WebLogic serer transparently passes the authenticated user identity and password to the Access Manager Custom Realm. (See Figure 1, arrow 4) 5. The Access Manager Custom Realm uses Access Manager authentication serices to erify that the password proided by WebSEAL is correct for the configured_user described aboe. That is, this password proides the basis of trust that the request s origin is WebSEAL. (See Figure 1, arrow 5) The request is now ready for authorization. Authenticating internal users Figure 1 also displays the model for the processing of requests for access to protected resources by internal users that do not go through a WebSEAL junction: 1. (1B) Internal user sends request for access to a protected resource. (See Figure 1, arrow 1B) 2. The WebLogic user authentication module sends the user identity to the Access Manager Custom Realm. (See Figure 1, arrow 4) 3. The Access Manager Custom Realm sends the authentication request to the user registry. (See Figure 1, arrow 5) If authentication is successful, the Access Manager Custom Realm returns the username to WebLogic Serer, as the authenticated user. The request is now ready for authorization. Using Access Manager authorization The authorization process occurs as follows: 1. When a request for a J2EE resource is receied by WebLogic Serer, it checks the releant deployment descriptor information to determine if access to the resource is restricted to certain roles. (See Figure 1, arrow A) 2. If the request requires the user to assume a role, the WebLogic Serer queries the Access Manager Custom Realm to determine whether the requesting user is a member of any of the groups that are mapped to the role. (See Figure 1, arrow B) 3. The Access Manager Custom Realm consults the Access Manager authorization serer to determine if the current user is a member of the group. If the user is a member of a group that is mapped to a permitted role, access is granted. Otherwise, access is denied. (See Figure 1, arrow 5) 4 IBM Tioli Access Manager for WebLogic Serer: User s Guide

Chapter 2. Installing IBM Tioli Access Manager for WebLogic Serer Supported platforms This chapter contains the following topics: Supported platforms Installation packages on page 6 Software prerequisites on page 6 Installing Access Manager for WebLogic on page 8 Configuring Access Manager for WebLogic on page 11 Configuring a Custom Realm on page 12 Configuring a WebSEAL junction for the WebLogic Serer on page 18 Testing the configuration on page 19 IBM Tioli Access Manager for WebLogic Serer (Access Manager for WebLogic) is supported on the following platforms: Operating System Release WebLogic Serer Release AIX 4.3.3 AIX 5L WebLogic Serer 6.1, with Serice Pack 1 Solaris 7 and 8 HP-UX 11.0 WebLogic Serer 6.1, with Serice Pack 2 Microsoft Windows 2000 Adanced Serer, with Serice Pack 2 Microsoft Windows NT with Serice Pack 6A Red Hat Linux 7.1, kernel 2.4.2-2 Disk and memory requirements Access Manager for WebLogic has the following disk and memory requirements: 64 MB RAM This is the amount of memory needed in addition to the memory requirements specified by WebLogic Serer and by any other Access Manager components. The additional 64 MB RAM is used to optimize caching performance. The amount of memory needed by other Access Manager components will depend on which Access Manager components are installed on the host system. For more information, see the IBM Tioli Access Manager Base Installation Guide 250 KB (kilobytes) disk space This requirement is in addition to the disk space required by WebLogic Serer and by any other Access Manager components. Copyright IBM Corp. 2002 5

Installation packages Software prerequisites The installation package is aailable as a software download from the following URL: http://www.tioli.com/secure/support/downloads/secureway/ policy_dir/downloads.html A alid login and password is required to access the Tioli Customer Support software download site. Successful installation of Access Manager for WebLogic requires the prerequisites described in the following sections: Prerequisites on Access Manager policy serer and authorization serer Prerequisites on Access Manager WebSEAL Prerequisites on WebLogic Serer on page 7 Prerequisites on Access Manager runtime enironment and Jaa runtime on page 7 Prerequisites on Access Manager policy serer and authorization serer An Access Manager Version 3.9 secure domain must be installed and configured prior to installing Access Manager for WebLogic. The Access Manager secure domain is established when you install the IBM Tioli Access Manager policy serer. This policy serer is distributed on the IBM Tioli Access Manager Base Version 3.9 CD for your operating system. Typically, the Access Manager policy serer is installed on a different system than the system that hosts Access Manager for WebLogic. Access Manager supports two different modes of authorization: remote mode and local mode. Access Manager for WebLogic is typically run in remote mode. This requires that Access Manager authorization serer must be installed on another system in the Access Manager secure domain. For a complete discussion of remote mode, see the IBM Tioli Access Manager Base Administration Guide. See the IBM Tioli Access Manager Base Installation Guide for installation and configuration instructions for Access Manager policy serer and Access Manager authorization serer. This document is included on the IBM Tioli Access Manager Base Version 3.9 CD for your operating system. Prerequisites on Access Manager WebSEAL Access Manager WebSEAL proides web-based security serices that can be used by Access Manager for WebLogic. When combined with WebSEAL junctions, Access Manager for WebLogic can be used to proide a WebSEAL to WebLogic Serer single sign-on solution. Access Manager WebSEAL is typically installed on a system other than the system that hosts Access Manager for WebLogic. 6 IBM Tioli Access Manager for WebLogic Serer: User s Guide

Access Manager WebSEAL requires that Access Manager policy serer be installed and configured. For complete WebSEAL installation instructions, see the IBM Tioli Access Manager WebSEAL Installation Guide. This guide is distributed on the IBM Tioli Access Manager Web Security Version 3.9 CD. Prerequisites on WebLogic Serer WebLogic Serer 6.1 must be installed and configured on the system that will host Access Manager for WebLogic. WebLogic Serer 6.1 is currently installed without a default Custom Realm and is launched using the startweblogic command. WebLogic Serer should be running when Access Manager for WebLogic is installed. To start WebLogic Serer, use startweblogic command. WebLogic Serer is distributed with the necessary Jaa Runtime Enironment (JRE). Access Manager for WebLogic uses this same JRE. Successful installation of WebLogic Serer satisfies the Access Manager for WebLogic prerequisite for a JRE IBM Jaa Runtime Enironment Version 1.3 on AIX On AIX systems, WebLogic Serer 6.1 requires IBM Jaa Runtime Enironment (JRE) Version 1.3. WebLogic Serer 6.1 distributes this JRE, and installs it during the WebLogic Serer installation. Access Manager for WebLogic uses this same ersion of the JRE. Access Manager for WebLogic uses Jaa Natie Interface (JNI) code. Ensure that the AIX enironment is configured as described in: /BEA_installation_directory/jdk130/README.HTML Prerequisites on Access Manager runtime enironment and Jaa runtime The following components from the Access Manager Base must be installed on the system that will host Access Manager for WebLogic: Access Manager Version 3.9 runtime enironment Access Manager Version 3.9 Jaa runtime The Access Manager secure domain must be established prior to installing these components on the system that will host Access Manager for WebLogic. The Access Manager runtime enironment proides necessary libraries and configuration information to enable the host system to access the secure domain. The Access Manager Jaa runtime proides Jaa-based administration facilities. The Access Manager runtime enironment and Access Manager Jaa runtime are distributed on the IBM Tioli Access Manager Base CD for each supported operating system. For installation instructions, see the IBM Tioli Access Manager Base Installation Guide. Optional use of Access Manager ADK The Access Manager ADK is optional but is recommended. The Access Manager ADK contains a demonstration application and a sample authorization API application configuration file. You can use this application and configuration file to test that the authorization API is correctly configured. Chapter 2. Installing IBM Tioli Access Manager for WebLogic Serer 7

Note, howeer, that Access Manager for WebLogic ships a default configuration file called PDRealm.conf. You can use this configuration file to erify the authorization API configuration, instead of using the sample Authorization API configuration file supplied in the ADK. Thus the Access Manager ADK is optional. The Access Manager ADK is distributed on the IBM Tioli Access Manager Base CD-ROM for each supported operating system. For installation instructions, see the IBM Tioli Access Manager Base Installation Guide. Installing Access Manager for WebLogic Complete the instructions in the section for your operating system: Installing Access Manager for WebLogic on Solaris Installing Access Manager for WebLogic on AIX Installing Access Manager for WebLogic on HP-UX on page 9 Installing Access Manager for WebLogic on Linux on page 10 Installing Access Manager for WebLogic on Windows on page 11 Installing Access Manager for WebLogic on Solaris The Access Manager for WebLogic installation separates file extraction from package configuration. Use pkgadd to install software packages on Solaris. Then configure Access Manager manually. Note: If you hae already installed and configured Access Manager for WebLogic and need to reinstall it, you must first unconfigure and remoe it. See Remoing Access Manager for WebLogic on Solaris on page 25. To install Access Manager for WebLogic on Solaris complete the following instructions: 1. Log in as user root. 2. Verify that the software prerequisites hae been satisfied. See Software prerequisites on page 6. 3. Download the Access Manager for WebLogic on Solaris installation package. See Installation packages on page 6. 4. Unpack the distribution files as specified in the README file that accompanies the download packages. Place the files in a temporary directory. 5. Change directory to the temporary directory. Enter the following command to install the Access Manager for WebLogic package: # pkgadd -d. PDWLS When prompted to continue, type y and press Enter. Files are extracted from the CD-ROM and installed on the hard disk. A message appears indicating that installation of the Access Manager package was successful. The pkgadd utility exits. 6. Next, configure Access Manager for WebLogic. Go to: Configuring Access Manager for WebLogic on page 11. Installing Access Manager for WebLogic on AIX The Access Manager for WebLogic installation separates file extraction from package configuration. Use SMIT to install software packages on AIX. Then configure Access Manager for WebLogic manually. 8 IBM Tioli Access Manager for WebLogic Serer: User s Guide

Note: If you hae already installed and configured Access Manager for WebLogic and need to reinstall it, you must first unconfigure and remoe the Access Manager for WebLogic package. See Remoing Access Manager for WebLogic on AIX on page 26. To install Access Manager for WebLogic on AIX complete the following instructions: 1. Log in as root. 2. Verify that the software prerequisites hae been satisfied. See Software prerequisites on page 6. 3. Download the Access Manager for WebLogic on AIX installation package. See Installation packages on page 6. 4. Enter the following command at a shell prompt: # smit The SMIT utility starts. 5. Select Software Installation and Maintenance. Select Install and Update Software. On AIX 4.3 systems, select Install and Update Software from LATEST Aailable Software. On AIX 5L systems, select Install Software. 6. When prompted for input deice, enter the location where the installation images hae been placed. 7. Click the List button for SOFTWARE to install. A Multi-select List window displays the list of IBM Tioli Access Manager software packages. 8. Select the Access Manager for WebLogic package (PDWLS). Click OK. 9. The Install and Update Software from LATEST Aailable Software dialog box appears. 10. Verify that the default alue of yes is present in the field labeled AUTOMATICALLY install requisite software. 11. Set other fields to alues appropriate to your installation. In most cases, you can accept the default alues. Click OK. 12. A message box appears asking if you are sure you want to install this package. Click OK. The package files are installed. Seeral status messages are displayed. A final status message indicates success upon completion of file extraction. 13. Click Done. Click Cancel to exit SMIT. 14. Next, configure Access Manager for WebLogic. Go to: Configuring Access Manager for WebLogic on page 11. Installing Access Manager for WebLogic on HP-UX The Access Manager for WebLogic installation separates file extraction from package configuration. Use swinstall to install software packages on HP-UX. Then configure Access Manager for WebLogic manually. Note: If you hae already installed and configured Access Manager for WebLogic and need to reinstall it, you must first unconfigure and remoe it. See Remoing Access Manager for WebLogic on HP-UX on page 26. To install a Access Manager for WebLogic on HP-UX, complete the following steps: Chapter 2. Installing IBM Tioli Access Manager for WebLogic Serer 9

1. Log in as user root. 2. Verify that the software prerequisites hae been satisfied. See Software prerequisites on page 6. 3. Download the Access Manager for WebLogic on HP-UX installation package. See Installation packages on page 6. 4. Unpack the distribution files as specified in the README file that accompanies the download packages. Place the files in a temporary directory. 5. Enter the following command to install the Access Manager for WebLogic package: # swinstall -s /temp_directory PDWLS A message appears indicating that the analysis phase has succeeded. Another message appears indicating that the execution phase is beginning. Files are extracted from the CD-ROM and installed on the hard disk. A message appears indicating that the execution phase has succeeded. The swinstall utility exits. 6. Next, configure Access Manager for WebLogic. Go to: Configuring Access Manager for WebLogic on page 11. Installing Access Manager for WebLogic on Linux The Access Manager for WebLogic installation separates file extraction from package configuration. Use rpm to install software packages on Linux. Then configure Access Manager for WebLogic manually. Note: If you hae already installed and configured Access Manager for WebLogic and need to reinstall it, you must first unconfigure and remoe it. See Remoing Access Manager for WebLogic on Linux on page 27. To install Access Manager for WebLogic on Linux, complete the following steps: 1. Log in as user root. 2. Verify that the software prerequisites hae been satisfied. See Software prerequisites on page 6. 3. Set the following enironment ariable: # export LD_PRELOAD=/usr/lib/libstdc++-libc6.1-2.so.3:/usr/lib/libstdc++-3-libc6.2-2-2.10.0.so Note: You must set this enironment ariable to aoid a conflict between the ersions of the C++ libraries used by Access Manager and the IBM Global Security Toolkit. 4. Download the Access Manager for WebLogic on Linux installation package. See Installation packages on page 6. 5. Unpack the distribution files as specified in the README file that accompanies the download packages. Place the files in a temporary directory. 6. Enter the following command to install the Access Manager for WebLogic package: # rpm -i PDWLS-PD-3.9.0-0.i386.rpm When prompted to continue, type y and press Enter. Files are extracted and installed on the hard disk. The rpm utility exits. 7. Next, configure Access Manager for WebLogic. Go to: Configuring Access Manager for WebLogic on page 11. 10 IBM Tioli Access Manager for WebLogic Serer: User s Guide

Installing Access Manager for WebLogic on Windows The Access Manager for WebLogic installation separates file extraction from package configuration. Use an InstallShield setup.exe to install the Access Manager for WebLogic files. Next, configure Access Manager for WebLogic manually. Note: If you hae already installed and configured Access Manager for WebLogic and need to reinstall it, you must first unconfigure and remoe it. See Remoing Access Manager for WebLogic on Windows on page 25. To install and configure Access Manager for WebLogic on Windows complete the following instructions: 1. Log in to the Windows domain as a user with Windows administrator priileges. 2. Verify that the software prerequisites hae been satisfied. See Software prerequisites on page 6. 3. Download the Access Manager for WebLogic on Windows installation package. See Installation packages on page 6. 4. Unpack the distribution files as specified in the README file that accompanies the download packages. Place the files in a temporary directory. 5. Run the Access Manager for WebLogic InstallShield setup program by double-clicking on the setup.exe file. The Choose Setup Language dialog box appears. 6. Select the appropriate language and click OK. The InstallShield program starts and the Welcome dialog box appears. 7. Click Next. The License Agreement dialog box appears. 8. Click Yes to accept the License Agreement. The Choose Destination Location dialog box appears. 9. Accept the default or specify an alternatie location. Click Next. The files are extracted to the disk. A message appears indicating that the files hae been installed. 10. Click Finish to exit the setup program. 11. Next, configure Access Manager for WebLogic. Go to: Configuring Access Manager for WebLogic. Configuring Access Manager for WebLogic Access Manager for WebLogic must be registered with the Access Manager secure domain as an Access Manager authorization API application. Access Manager for WebLogic includes a sample configuration file, PDRealm.conf. This file is distributed in the etc directory located in the Access Manager for WebLogic installation directory. To configure Access Manager for WebLogic into the Access Manager secure domain, complete the following steps. 1. Verify that the following Access Manager Base components hae been installed and configured: Access Manager Base runtime enironment Access Manager Base Jaa runtime Chapter 2. Installing IBM Tioli Access Manager for WebLogic Serer 11

For more information see Software prerequisites on page 6. 2. Copy the sample configuration file, PDRealm.conf, to a directory of your choice. For example, if you create a directory PDRealm under the WebLogic Serer installation directory, use the following command (entered on one continuous line) to copy the configuration file: UNIX systems: # cp /Access_Manager_install_directory/etc/PDRealm.conf \ /WebLogic_Serer_install_directory/PDRealm/PDRealm.conf Windows systems: MSDOS> copy \Access_Manager_install_directory\etc\PDRealm.conf C:\WebLogic_install_directory\PDRealm\PDRealm.conf 3. Enter the following srsslcfg command (as one continuous command line): UNIX systems: srsslcfg -config -f /opt/bea/pdwlsrealm/pdrealm.conf -d /opt/bea/pdwlsrealm -n pdwlsrealm -s remote -P sec_master_password -S pdwlsrealm_password -r 0 Windows systems: Configuring a Custom Realm srsslcfg -config -f c:\bea\pdwlsrealm\pdrealm.conf -d c:\bea\pdwlsrealm -n pdwlsrealm -s remote -P sec_master_password -S pdwlsrealm_password -r 0 This example inocation of srsslcfg accomplishes the following tasks: Creates a user called pdwlsrealm. This user identity will be used by the application when communicating oer SSL with the Access Manager policy serer. Creates an SSL key file for that user Adds the user to the remote-acl-users group (based on the -s remote option) Modifies settings in the specified configuration file PDRealm.conf. Note that the absolute pathname of the configuration file must be supplied to the -f option. For more information about srsslcfg, see the reference page srsslcfg on page 30. 4. Verify that you can contact the Access Manager policy serer by issuing the command: pdadmin> serer list 5. Continue to the next section: Configuring a Custom Realm. Complete the following steps on the system that hosts the WebLogic Serer: 1. Stop the WebLogic serer. 2. Add the following file names to the CLASSPATH ariable of the startweblogic command. UNIX systems: /opt/pdwls/lib/pdwasauthzmanager.jar /opt/pdwls/lib/pdauthzn.jar /opt/pdwls/lib/pdrealm.jar Windows systems: C:\Progra~1\Tioli\pdwls\lib\PDWASAuthzManager.jar C:\Progra~1\Tioli\pdwls\lib\pdAuthzn.jar C:\Progra~1\Tioli\pdwls\lib\PDRealm.jar 12 IBM Tioli Access Manager for WebLogic Serer: User s Guide

The startweblogic command is located in the directory of the installed domain of the WebLogic Serer. In a standard installation this is: (Windows) C:\bea\wlserer6.1\config\mydomain (UNIX) /bea/wlserer6.1/config/mydomain 3. Complete the instructions in this step to ensure that the WebLogic Serer loads the correct Jaa classes. CAUTION: You must complete this step or WebLogic Serer will not restart. a. Remoe the Access Manager Base Jaa runtime component files from the library extensions directory for the Jaa Runtime (JRE). The library extensions directory is: UNIX: /installation_directory/jre/lib/ext Windows: C:\installation_directory\jre\lib\ext Remoe the following files from the library extensions directory: PD.jar US_export_policy.jar ibmjcefw.jar ibmjceproider.jar ibmjsse.jar ibmpkcs.jar jaas.jar local_policy.jar Note: These files were copied to this directory during the configuration of the Access Manager Base Jaa runtime. You are remoing a copy of the files. You are not remoing the original files. b. Add the following entries to the CLASSPATH ariable defined in the startweblogic script: UNIX systems: /Access_Manager_install_dir/jaa/export/pdjrte/PD.jar /Access_Manager_install_dir/jaa/export/pdjrte/US_export_policy.jar /Access_Manager_install_dir/jaa/export/pdjrte/ibmjcefw.jar /Access_Manager_install_dir/jaa/export/pdjrte/ibmjceproider.jar /Access_Manager_install_dir/jaa/export/pdjrte/ibmjsse.jar /Access_Manager_install_dir/jaa/export/pdjrte/ibmpkcs.jar /Access_Manager_install_dir/jaa/export/pdjrte/jaas.jar /Access_Manager_install_dir/jaa/export/pdjrte/local_policy.jar On Windows systems: C:\Progra~1\Tioli\Policy~1\jaa\export\pdjrte\PD.jar C:\Progra~1\Tioli\Policy~1\jaa\export\pdjrte\US_export_policy.jar C:\Progra~1\Tioli\Policy~1\jaa\export\pdjrte\ibmjcefw.jar C:\Progra~1\Tioli\Policy~1\jaa\export\pdjrte\ibmjceproider.jar C:\Progra~1\Tioli\Policy~1\jaa\export\pdjrte\ibmjsse.jar C:\Progra~1\Tioli\Policy~1\jaa\export\pdjrte\ibmpkcs.jar C:\Progra~1\Tioli\Policy~1\jaa\export\pdjrte\jaas.jar C:\Progra~1\Tioli\Policy~1\jaa\export\pdjrte\local_policy.jar 4. If you are using the default language (English) skip this step. If you are using a language pack to support a language other than the default (English), you must add the following path to the CLASSPATH defined in the startweblogic script: UNIX systems: /opt/pdwls/nls/jaa Chapter 2. Installing IBM Tioli Access Manager for WebLogic Serer 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback