Victaulic

Portal 6.1 TAM 6.0 Integration

Version <1.1>

Document Owner: Godfrey Onwunali Document Author: Godfrey Onwunali

December 28, 2009

Filename: PORTAL 6.1-TAM INTEGRATION.DOC

INDEX
1 2 3 Configuring single sign-on to Portal 6.1 with Tivoli Access Manager or WebSEAL ..........................3 Setting up SSL .......................................................................................................................................3 Required configuration Tasks in WebSEAL.........................................................................................4 3.1 LTPA Junction: ................................................................................................................................5 3.2 TAI Junction .....................................................................................................................................5 4 Configuring Tivoli Access Manager to perform authentication only to Portal 6.1...............................6 5 Required Configurations in WAS (Portal 6.1).......................................................................................7 5.1 Creating AMRTE properties file......................................................................................................7

Encode Inc.--Confidential

Page 2 of 9

Portal 6.1 TAM integration

1 Configuring single sign-on to Portal 6.1 with Tivoli Access Manager or WebSEAL
IBM WebSphere Portal Express runs on IBM WebSphere Application Server, which can use Trust Association Interceptors (TAIs) to provide third-party authentication. WebSphere Portal Express and WebSphere Application Server support a TAI that is provided by Tivoli. If you use Tivoli Access Manager to perform authorization for WebSphere Portal Express, you must also use Tivoli Access Manager to perform the authentication. Using Tivoli Access Manager to perform only authorization is not supported. Assumptions:
This procedure requires that you be familiar with WebSEAL administration concepts as presented in the WebSEAL Administrator's Guide. These are not the only options available for configuring WebSEAL with WebSphere Application Server. For complete descriptions of all the options, refer to the Tivoli Access Manager and WebSphere Application Server documentation. This example assumes that HTTP Server is the Web server. The term pdadmin refers to a command line utility that supports Tivoli Access Manager administrative functions. In a clustered environment, you only need to perform these steps on one node in the cluster. It is assumed that you have WebSphere Portal 6.1 already installed and properly configured. ITAM and WebSEAL are assumed to be configured and running

2 Setting up SSL
This section describes the overall tasks that are required to configure SSL for IBM WebSphere Portal Express. Some of these tasks are performed on the IBM WebSphere Application Server and the Web server. The steps that refer to the WebSphere Application Server and the Web server are summarized here; you should refer to the WebSphere Application Server and the Web server documentation for detailed information. Steps that are unique to WebSphere Portal Express are described in detail here.
Note: This procedure might be slightly different if a front-end security proxy server such as IBM Tivoli Access Manager for e-business WebSEAL is used. In that case, the front-end security server handles the client SSL connections. The Web server receives connections from the front-end security proxy server. Mutually authenticated SSL could be configured between the Web server and the front-end security proxy server if needed. This is highly dependent on the security requirements of each deployment. If you plan to use a Tivoli Access Manager WebSEAL TAI with an SSL junction, perform only steps 1-3 of this procedure. Important: If only the login process should be secure over SSL, perform the first three steps and then go to Configuring SSL only for the login process. Encode Inc.--Confidential Page 3 of 9 Portal 6.1 TAM integration

1.

Configure the Web server to support HTTPS. This involves setting up the Web server to accept inbound connections from client browsers over SSL. The Web server must have a port defined (usually 443), and the necessary certificates and keys must be installed. Go to Securing with SSL communications for information on how to enable SSL on an IBM HTTP Server.

If this is a production environment, you must obtain a certificate from a certificate authority. For testing purposes, you can use IKEYMAN to generate a self-signed certificate. For Internet Information Server, use the Web server's resource tool kit to create SSL keys.
2. Configure the WebSphere Application Server plugin for the Web server to forward WebSphere Portal Express traffic that is received over SSL to WebSphere Application Server (which will then forward the traffic to WebSphere Portal Express ). Refer to Configuring the Web server plug-in for Secure Sockets Layer for information on how to configure the plug-in. This topic discusses the configuration for the IBM HTTP Server; however, the Web server-related configuration in this situation is not specific to any distributed platform Web server. 3. In configurations where the Web server and WebSphere Portal Express reside on separate machines, requests to the Web server are rerouted to the application server. Under these circumstances, you can also configure SSL between the Web server and the application server to provide more complete security. This requires that you create additional keyfiles for the Web server plugin and for the embedded HTTPS of WebSphere Application Server. For information on configuring SSL between the Web server and the application server, refer to the section entitled 7.3.1: Secure the transport channel between Web server and WebSphere, of the IBM WebSphere Application Server V6.1 Security Handbook, SG24-6316-00. Note: Always create a new SSL keystore and truststore for the external Web server and change the WebSphere_Portal server's secure transport channel to use the new SSL repository. CAUTION: Do not modify the default SSL key and truststore.

3 Required configuration Tasks in WebSEAL

Assuming the TAM environment is up and running, proceed to configure the junction to the portal server. There are two ways to create SSO junction to the Websphere portal server. One is using an LTPA key and the other is using the TAI.

Encode Inc.--Confidential

Page 4 of 9

Portal 6.1 TAM integration

3.1 LTPA Junction:

Perform the following steps to create an SSL junction using LTPA authentication on the WebSEAL node: a) Open a pdadmin command prompt from any node that has a Tivoli Access Manager Runtime component installed. This can be done on the Tivoli Access Manager Server node, WebSEAL node or the WebSphere Portal Express node. b) Enter the server task WebSEAL-Instance-webseald-WebSEAL-HostName create -t ssl -b filter -A -F LTPA-Keys-Path -Z LTPA-Password -h Target-Host -c all /Junction-Name command on one line. The -A enables LTPA cookies. The -F key file option and argument specifies the full path name location on the WebSEAL server of the key file used to encrypt the shared key that is originally created on the WebSphere Application Server server and copied securely to the WebSEAL server. Refer to the WebSphere Application Server product documentation for specific details regarding exporting the LTPA key. Verify that the automatic LTPA Key generation is disabled. The -Z keyfile-password option and argument specifies the password required to open the key file.

Optional:

If you plan to use an SSL junction, follow the instructions in steps 1-3 in session 2 above (setting up SSL): Perform the following steps if you plan to use an SSL junction: Use the IBM Key Management utility to load the Web server certificate into the keyring for the appropriate instance of WebSEAL. See the HTTP Server documentation for more details. Restart WebSEAL.

3.2 TAI Junction

Since the setup in Victaulic requires TAM to only do authentication and not authorization, we used TAI junction rather than TAI++ server task default-webseald-dev-vicweb.victaulic.com create -t tcp -h dev-ecom-app.victaulic.com -p 10040 -c all -b supply -j -J trailer -f /portal OR server task default-webseald-dev-vicweb.victaulic.com create -t ssl -h dev-ecom-app.victaulic.com -p 10041 -c all -b supply -j -J trailer -f /portal object modify /WebSEAL/dev-vicweb-victatulic/portal set attribute HTTP-Tag-Value credattrs_DefaultLanguage=defaultLang object modify /WebSEAL/dev-vicweb-victatulic/portal set attribute HTTP-Tag-Value credattrs_ApplicationRoles=roles

Encode Inc.--Confidential

Page 5 of 9

Portal 6.1 TAM integration

object modify /WebSEAL/dev-vicweb-victatulic/portal set attribute HTTP-Tag-Value credattrs_Location=location object modify /WebSEAL/dev-vicweb-victatulic/portal set attribute HTTP-Tag-Value credattrs_LastName=lastName object modify /WebSEAL/dev-vicweb-victatulic/portal set attribute HTTP-Tag-Value credattrs_FirstName=firstName object modify /WebSEAL/dev-vicweb-victatulic/portal set attribute HTTP-Tag-Value credattrs_UserName=username Optional: If you plan to use an SSL junction, follow the instructions in steps 1-3 in session 2 above (setting up SSL): Perform the following steps if you plan to use an SSL junction: Use the IBM Key Management utility to load the Web server certificate into the keyring for the appropriate instance of WebSEAL. See the HTTP Server documentation for more details. Restart WebSEAL.

4 Configuring Tivoli Access Manager to perform authentication only to Portal 6.1

Perform the following steps to configure Tivoli Access Manager to perform authentication only: 1) create the desired junction (LTPA, TAI) One of the underlying TAI security requirements is the trusted user account in the Tivoli Access Manager user registry that WebSphere Application Server is configured to use. This is the ID and password that WebSEAL uses to identify itself to WebSphere Application Server. Note: To prevent potential vulnerabilities, do not use the sec_master or wpsadmin users for the trusted user account. The trusted user account should be for the TAI only 2) Create a trusted user account by running the following commands:

pdadmin> user create vicwebseal uid=vicwebseal,cn=users,dc=Victaulic,dc=com vicwebseal vicwebseal !password! pdadmin> user modify vicwebseal account-valid yes 3) Edit the WebSEAL configuration file webseal_install_directory/etc/webseald-default.conf Set the following parameter: basicauth-dummy-passwd=webseal_userid_passwd (in our case it is !password!) 4) where webseal_userid_passwd is the SSO password for the trusted user account set in step 2

Encode Inc.--Confidential

Page 6 of 9

Portal 6.1 TAM integration

5) The length of the generated URLs may cause problems if your WebSEAL instance is on the Windows platform. Edit the webseald-instance.conf file and change the process-rootrequests property value to filter to avoid problems with WebSEAL processing. 6) Create a user wpsadmin if it does not exist already by using the command in step 2. 7) Create a group wpsadmins using the following command: pdadmin> group create wpsadmins cn=wpsadmins ,cn=groups,dc=Victaulic,dc=com cn=wpsadmins 8) start the authorization server

5 Required Configurations in WAS (Portal 6.1)

Run the following validation task to validate that the AMJRTE properties exists ConfigEngine.bat validate-pdadmin-connection -Dwp.ac.impl.PDAdminPwd=!password! from the wp_profile_root\ConfigEngine directory Note: If this task fails, run the run-svrssl-config task to create the properties file; see "Creating the AMJRTE properties file" for information about running this task. Please attempt the validate-pdadminconnection task again. If this task still fails, do not proceed any further. It indicates that portal can not connect to the TAM server and subsequent tasks will fail. It might be necessary to configure parameter values in: D:\APPS\WebSphere\PortalServer\base\wp.ac.impl/ wp.ac.impl.properties

5.1 Creating AMRTE properties file

Use a text editor to open the wkplc_comp.properties file located in wp_profile_root\ConfigEngine\properties directory. Enter only the following parameters in the wkplc_comp.properties file under the Tivoli Access Manager parameters heading: a) b) c) d) e) f) wp.ac.impl.PDAdminPwd = !password! wp.ac.impl.PDPermPath = D:/APPS/WebSphere/AppServer/java/jre/PdPerm.properties wp.ac.impl.TamHost=dev-victam wp.ac.impl.PDPolicyServerList=dev-victam:7135:1 wp.ac.impl.PDAuthzServerList=dev-victam:7136:1 wp.ac.impl.PDKeyPath=D:/APPS/WebSphere/AppServer/java/jre/lib/pdperm.ks

Enter only the following parameters in the wkplc_comp.properties file under the WebSEAL junction parameters heading: Encode Inc.--Confidential Page 7 of 9 Portal 6.1 TAM integration

a) wp.ac.impl.JunctionPoint=/portal b) wp.ac.impl.WebSealInstance=default-webseald-dev-vicweb.victaulic.com (obtained by pdadmin server list) c) wp.ac.impl.JunctionHost=dev-ecom-app d) wp.ac.impl.JunctionPort=10040 1. Enter only the following parameters in the wkplc_comp.properties file under the WAS WebSEAL TAI parameters heading: a) For wp.ac.impl.hostnames, enter the fully qualified URL for WebSphere Portal Express dev-vicweb,dev-vicweb.victaulic.com,DEVVICWEB,DEV-VICWEB.VICTAULIC.COM For wp.ac.impl.ports, enter the port number used to access the host machine identified in wp.ac.impl.hostnames 80,443 For wp.ac.impl.loginId, enter the reverse proxy identity used when you create a TCP junction vicwebseal For wp.ac.impl.BaUserName, enter the reverse proxy identity used when you create an SSL junction wpsadmin For wp.ac.impl.BaPassword, enter the password for the SSL junction reverse proxy ID. wpsadmin wp.ac.impl.ssoPwdExpiry=0 (0 means Portal never times out)

b) c) d) e) f)

2. Save your changes to the wkplc_comp.properties file. 3. ConfigEngine.bat run-svrssl-config -Dwp.ac.impl.PDAdminPwd=!password! from the wp_profile_root\ConfigEngine directory. NOTE: If you change any of the parameter values in the properties file, you will need to run the above command again. But before you do, you must first unconfigure, by running the following command: ConfigEngine.bat run-svrssl-unconfig -Dwp.ac.impl.PDAdminPwd=!password! from the wp_profile_root\ConfigEngine directory. Start the Tivoli Access Manager authorization server, which is required for successful single sign on (SSO) to occur. 5. Run the following task to configure TAI for Tivoli Access Manager: ConfigEngine.bat enable-tam-tai -DWasPassword=wpsadmin -Dwp.ac.impl.PDAdminPwd=!password ! from the wp_profile_root\ConfigEngine directory. If this command fails, It might be necessary to configure parameter values in, much like in wkplc_comp.properties above: D:\APPS\WebSphere\PortalServer\base\wp.ac.impl/ wp.ac.impl.properties 4.

Note: If this is a clustered environment, WasPassword is the Deployment Manager administrative password. 6. Restart all required servers to propagate your changes. Page 8 of 9 Portal 6.1 TAM integration

Encode Inc.--Confidential

TIP:If you receive HTTP 403 forbidden after login to portal thru webseal, check that appropriate ports are opened like the port used in the junction like 10040 also 443, 1078 and 1086

Encode Inc.--Confidential

Page 9 of 9

Portal 6.1 TAM integration