Operating Systems: i5/OS
             Personalize the table of contents and search results

 

Configure global sign-on principal mapping

 

You can create a new application login that uses the Tivoli Access Manager GSO database to store the login credentials.

 

Procedure

  1. Click Security > Secure administration, applications, and infrastructure.

  2. Under Authentication, click Java Authentication and Authorization Service > Application logins.

  3. Click New to create a new Java Authentication and Authorization Service (JAAS) login configuration.

  4. Enter the alias name of the new application login. Click Apply.

  5. Under Additional properties, click JAAS login modules to define the JAAS Login Modules.

  6. Click New and enter the following information:

    Module class name: com.tivoli.pdwas.gso.AMPrincipalMapper
    Use Login Module Proxy: enable
    Authentication strategy: REQUIRED

  7. Click Apply

  8. Under Additional Properties section, click Custom Properties to define login module-specific values that are passed directly to the underlying login modules.

  9. Click New.

    The Tivoli Access Manager principal mapping module uses the authDataAlias configuration string to retrieve the correct user name and password from the security configuration. The authDataAlias attribute that is passed to the module is configured for the J2C connection factory. Because the authDataAlias attribute is an arbitrary string that is entered at configuration time, the following scenarios are possible:

    The scenario to use is determined by a JAAS configuration option, as shown here:

    When entering authDataAlias attributes through the WebSphere Application Server administrative console, the node name is automatically pre-pended to the alias. The JAAS configuration entry determines whether this node name is removed or included as part of the resource name, as shown here:

    Note: If the PdPerm.properties configuration file is not located in the JAVA_HOME/PdPerm.properties default location, then you also need to add the following property:

    Enter each new parameter using the following scenario information as a guide, then click Apply.

    Scenario 1
    Auth Data Alias - BackendEIS/eisUser
    Resource - BackEndEIS
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 2
    Auth Data Alias - BackendEIS
    Resource - BackEndEIS
    User - Currently authenticated WebSphere Application Server user
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 3
    Auth Data Alias - nodename/BackendEIS/eisUser  
    Resource - BackEndEIS
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 4
    Auth Data Alias - nodename/BackendEIS/eisUser  
    Resource - nodename/BackEndEIS (notice that node name is not removed)
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 5
    Auth Data Alias - BackendEIS/eisUser
    Resource - BackEndEIS
    User - eisUser
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 6
    Auth Data Alias - nodename/BackendEIS/eisUser
    Resource - nodename/BackendEIS/eisUser
                                 (notice that the resource is the same as Auth Data Alias).
    User - Currently authenticated WebSphere Application Server user
    Principal Mapping Parameters

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

  10. Create the Java 2 Connector (J2C) authentication aliases. The user name and password that are assigned to these alias entries are irrelevant because Tivoli Access Manager is responsible for providing user names and passwords. However, the user name and password that are assigned to the J2C authentication aliases need to exist so that they can be selected for the J2C connection factory in the administrative console.

    To create the J2C authentication aliases, from the WebSphere Application Server administrative console, click Security >Secure administration, applications, and infrastructure. Under Authentication, click Java Authentication and Authorization Service > J2C authentication data, and then click New for each new entry. Refer to the previous table for scenario inputs. The connection factories for each resource adapter that need to use the GSO database must be configured to use the Tivoli Access Manager Principal mapping module:

    1. From the WebSphere Application Server administrative console, click Applications > Enterprise Applications > application_name > Resourcer references. Note that J2C connection factories must be already configured for the selected application. To configure a new J2C connection factory, see Configuring J2EE Connector connection factories in the administrative console.

    2. Under Additional properties, click Resource Adapter.

      The resource adapter can be standalone and does not need to be packaged with the application. The resource adapter is configured from Resources > Resource Adapters for standalone scenarios.

    3. Under Additional properties, click J2C Connection Factories.

    4. Click New and enter the connection factory properties.

    5. When finished, click Apply > Save.

    Attention: Custom mapping configuration for the connection factory is deprecated in WebSphere Application Server Version 6. To configure the GSO credential mapping, use the Map Resource References to Resources panel on the administrative console. For more information, see J2EE connector security.



}

 

Related concepts


Global single sign-on principal mapping

 

Related tasks


Configuring single sign-on capability with Tivoli Access Manager or WebSEAL