4.5 Installing Tivoli Access Manager components

 < Day Day Up > 



4.5 Installing Tivoli Access Manager components

Tivoli Access Manager (TAM) consists of various components that interact. These components will normally be installed on various machines according to your specific security architecture.

In the secure portal implementation, we will require the following components to be installed on the Security Node. Refer to Figure 4-1, "Product mapping for the secure portal" on page 40 for the product mapping diagram.

  • Policy Server

  • Authorization Server

  • WebSEAL Server

In addition, we will need the TAM Java Runtime to be installed on the Application Node (where Portal is installed).

4.5.1 Installing Policy Server

The Tivoli Access Manager Policy Server is the core management server within an Access Manager secure domain. This server is key to the processing of access control, authentication and authorization requests. We therefore need to install the Policy Server component on the Security node.

Policy Server installation program

Log in as the Administrator user and start a command prompt. Insert the CD labeled Tivoli Access Manager for e-business Base for Windows. Change to the drive letter corresponding to the CD-ROM drive (in our environment, it is E:) and launch the ezinstall_pdmgr.bat file.

If you receive a prompt asking to use a response file that was created previously, respond by entering N. Since this installation program is running on the same machine where the IBM Directory Server is already installed, it will detect this and show that both the Directory Client and Global Security Toolkit components are installed and configured. It indicates that it will continue to install Access Manager Runtime and Policy Server Figure.

click to expand
Figure 4-54: IBM TAM Policy Server installation window

Press Enter to continue and the program then display a window titled IBM Tivoli Access Manager Runtime Configuration Options. Type in the LDAP server host name, in our environment m23caatk (<SecurityNodeName>. Type in the LDAP DistinguishedName for the GSO Database, in our case dc=ibm,dc=com. The program asks if it should enable TAM to talk to LDAP over SSL; type y. It prompts for the LDAP SSL client key file. Type C:\keytabs\pd_ldapkey.kdb. It then asks for the SSL keyfile password which is gsk4ikm. The values entered should be similar to those in Figure 4-55 on page 98.

click to expand
Figure 4-55: IBM TAM Runtime Configuration Options

Press y to continue. You are then prompted for the TAM Policy Server Configuration options. The program asks for the LDAP administrator password; in our environment it is sah309r. It then prompts for the security master Password; in our environment we will set it to sah309r. Please note that this entry is referring to the Tivoli Access Manager security master password (whose user ID is always sec_master). Re-enter the password for confirmation. The program then asks if you will allow other Access Manager Runtime machines to download the certificate file; press N for no.

Note 

Please notice that SSL Server Port (configuration item 4) is set to 7135; this is referring to the port that the TAM Policy Server will listen on for SSL encrypted communication. Take note of this because it will be required in later steps.

click to expand
Figure 4-56: IBM TAM Policy Server configuration options

Press y to continue and the program should start installing. It will then inform you that it is installing IBM Tivoli Access Manager Runtime and then continue to install the IBM Tivoli Access Manager Policy Server. It should then provide you with the statement To complete the installation/configuration, the system must be restarted. Press Enter to continue and the installer will initiate the reboot.

Tip 

Do not remove the CD until the installer informs you of a successful installation/configuration.

After the system restarts, log in as Administrator again. The installer should automatically continue and will then configure the Tivoli Access Manager Runtime and Policy Server. When it completes, it will display a list of all the configured components that should be the same as shown in Figure 4-57 on page 100.

click to expand
Figure 4-57: IBM TAM Policy Server successful install

Press Enter to continue and the install program will close.

4.5.2 Installing Authorization Server

The Tivoli Access Manager Authorization Server functions as the authorization decision-making engine. It can be used to offload access control and authorization decisions from the Policy Server for performance enhancement reasons. A separate Authorization Server is, however, needed to service authorization decisions when an application uses the TAM Authorization API in remote cache mode (which is what the Websphere Portal modules for integration with Tivoli Access Manager do). The Authorization Server component can be loaded on any remote machine (that has the Tivoli Access Manager Runtime installed and configured) and could conceivably be placed on the Application node. However, for ease of installation, we have chosen to install the Authorization Server component on the Security node.

Policy Server installation program

Log in as the Administrator user and start a command prompt. Insert the CD labeled Tivoli Access Manager for e-business Base for Windows. Change to the drive letter corresponding to the CD-ROM drive (in our environment, it is E:) and launch the ezinstall_pdacld.bat file.

If you receive a prompt asking to use a response file that was created previously, respond N. Since this installation program is running on the same machine where the Policy Server is already installed, it will detect this and show that the Directory Client, Global Security Toolkit and Tivoli Access Manager Runtime components are installed and configured. It indicates that it will continue to install Access Manager Authorization Server.

click to expand
Figure 4-58: IBM TAM Authorization Server Installation window

Press Enter to continue. You will be presented with a window titled IBM Tivoli Access Manager Authorization Server Options. Type in the LDAP administrator password, in our environment sah309r. Enter the security master password which in our case is sah309r. Please note that you are not prompted to re-enter these passwords for confirmation, so be very careful when entering them.

Note 

Please note that, even though it is not an explicit configuration option, the port on which the Tivoli Access Manager Authorization Server will listen for SSL encrypted communication is set by default to 7136. Take note of this as it will be required in later steps.

The configuration should look like that shown in Figure 4-59 on page 102.

click to expand
Figure 4-59: IBM TAM Authorization Server options

Press y and Enter to continue. Installation will begin. When the installation has completed, the program will prompt you to Press Enter to continue. The final window should look like Figure 4-60.

click to expand
Figure 4-60: IBM TAM Authorization Server successful installation

4.5.3 Installing WebSEAL

Tivoli Access Manager WebSEAL is a resource manager responsible for managing and protecting an organization's unified, secured Web object space. It functions as a high-performance reverse Web proxy server that applies a fine-grained security policy to all protected Web-based information and resources. The WebSEAL Server component is normally loaded on a bastion host placed in an Internet-connected Demilitarized Zone network. In our environment, we have chosen to install the WebSEAL Server on the Security node.

Changing HTTP Server ports

We will have to change the port on which the IBM HTTP Server on the Security node listens for requests so that it will not conflict later on with the ports chosen by WebSEAL (normally, the default HTTP port 80 and default HTTPS port 443). Open the C:\program files\IBM HTTP Server\conf folder and edit the httpd.conf file. Change the Port property from 80 to 81. Save the file and restart the IBM HTTP Server through the Services application (Start->Settings->Control panel->Administrative tools->Services).

Example 4-1: Httpd.conf file extract with changed Port

start example
 # Port: The port the standalone listens to. # Port 80 Port 81 
end example

WebSEAL Server installation program

Log in as the Administrator user and start a command prompt. Insert the CD labeled Tivoli Access Manager for e-business Web Security for Windows. Change to the drive letter corresponding to the CD-ROM drive (in our environment, it is E:) and launch the ezinstall_pdweb.bat file.

If you receive a prompt asking to use a response file that was created previously, respond N. Since this installation program is running on the same machine where the Policy Server is already installed, it will detect this and show that the Directory Client, Global Security Toolkit and Tivoli Access Manager Runtime components are installed and configured. It indicates that it will continue to install Access Manager WebSEAL.

click to expand
Figure 4-61: IBM TAM WebSEAL Server installation

Press Enter to continue. You will be presented with the Access Manager WebSEAL Server (PDWEB) options. You will be asked if you want to enable SSL with LDAP server, respond y and then press Enter. Enter the path for the LDAP SSL client key file, in our environment it is C:\keytabs\pd_ldapkey.kdb.

Enter the SSL keyfile password which in our case is gsk4ikm. Enter the LDAP server port number which is 636. Enter the security master password which we have defined as sah309r in our environment. The configuration should look like Figure 4-62 on page 105.

click to expand
Figure 4-62: Access Manager WebSEAL Server configuration options

Press y and Enter to continue. Installation/configuration will then begin. Once the install has completed successfully, you should press Enter to continue.

click to expand
Figure 4-63: IBM TAM WebSEAL Server successful installation

4.5.4 Verifying Tivoli Access Manager installation

Open the Services application (Start->Settings->Control panel->/administrative tools->Services) and confirm that the following services are started; if not, start them:

  • Access Manager Authorization Server

  • Access Manager Policy Server

  • Access Manager WebSEAL

Tip 

The Access Manager Auto-Start Service is just a helper application that starts any Tivoli Access Manager components in a controlled manner and order and then terminates. It is not necessary for it to be running continuously.

Start the Access Manager pdconfig program by selecting Start -> Programs -> Access Manager for e-business -> Configuration; all items should appear configured as shown in Figure 4-64.

click to expand
Figure 4-64: Access Manager for e-business configuration

Start the Access Manager pdadmin program by selecting Start -> Programs -> Access Manager for e-business -> Administration Command Prompt. At the pdadmin> prompt, enter the command login. Type in sec_master as the user ID. Type in the password sah309r (in our environment). Issue the commands as shown below in Figure 4-65 and ensure that you receive similar output.

click to expand
Figure 4-65: Objects created in TAM repository

Open a browser window and go to http:\\localhost:80; you should get the message Forbidden-The resource you have requested is secured by Access Manager WebSEAL. Click the link provided: Re-access the page using https. You will be prompted to accept a certificate and then for a user/password. Log in as sec_master/sah309r. An Access Manager product page will appear as shown in Figure 4-66 on page 108.

click to expand
Figure 4-66: TAM for WebSEAL

If there are any problems with the above tests, please refer to the Tivoli Access Manager Installation Guide for troubleshooting/resolution actions.

4.5.5 Installing Fix Packs for Tivoli Access Manager

The release notes of WebSphere Portal V5.0 states that integration with Tivoli Access Manager V4.1 requires installation of Tivoli Access Manager Fix Pack 2. At the time of this writing, the most current release is Tivoli Access Manager 4.1 Fix Pack 6 (which supersedes Fix Pack 2). We installed Fix Pack 6 for our implementation.

Refer to 4.1.1, "Hardware and software configurations" on page 41 for the URLs to obtain the Fix Packs.

Note that all of the following tasks have to be carried out on the Security node.

Backing up the TAM configuration

On the Access Manager server, close any open windows you might have. Open a command prompt and execute the following commands as we did in our environment:

    pdbackup -action backup -list "C:\Program Files\Tivoli\Policy    Director\etc\pdbackup.lst" -path "C:\Program Files\Tivoli\Policy    Director\backup" -file pre_fp5_base    pdbackup -action backup -list "C:\Program    Files\Tivoli\PDWeb\etc\amwebbackup.lst" -path "C:\Program    Files\Tivoli\PDWeb\backup" -file pdweb 

You may receive the following error:

    'C:\Program' is not recognized as an internal or external command, operable    program or batch file. 

Do not be overly concerned since this is a false error message and the command will normally complete properly. To confirm this, check the output file pdbackup.log in your temporary directory.

Installing Global Security Toolkit V5.0.5.83

Open a Command Prompt and change into the temporary directory where you have copied the downloaded gsk5bas.exe file. Execute the command:

    gsk5bas.exe gsk5bas 

Example 4-2: Command gsk5bas.exe output

start example
 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp>gsk5bas.exe gsk5bas BookManager (v9510) (C) Copyright IBM Corporation. 1989, 1995. All Rights Reserved. Licensed Materials. Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\DATA.TAG Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\data1.cab Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\lang.dat Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\layout.bin Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\os.dat Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\SETUP.EXE Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\SETUP.INI Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\setup.ins Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\setup.lid Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\_INST32I.EX_ Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\_ISDEL.EXE Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\_SETUP.DLL Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\_sys1.cab Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\_user1.cab Exploding: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\gsk5bas\setup.iss C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp> 
end example

Change to the gsk5bas directory created by the above command and run the following command (as in our environment) which will launch the InstallShield program:

    setup gsk5 C:\PROGRA~1\IBM\gsk5 -sf1".\setup.iss" 

In the InstallShield Welcome window, click Next. Select Next to accept the default location for Global Security Toolkit and continue. The setup program will then install the Global Security Toolkit upgrade. When it finalizes, click Finish to close the program.

Reboot the server to apply all the changes. If you want to check that the GSKIT fixpack has been installed, you can execute the gsk5ver command from the C:\Program Files\IBM\gsk5\bin directory (as in our environment). The output should be similar to the following example.

Example 4-3: Extract from the gsk5ver command ouput

start example
 C:\>"C:\Program Files\IBM\gsk5\bin\gsk5ver.exe" |find "ProductVersion" @(#)ProductVersion:   5.0.5.83 @(#)ProductVersion:   5.0.5.83 @(#)ProductVersion:   5.0.5.83 @(#)ProductVersion:   5.0.5.83 @(#)ProductVersion:   5.0.5.83 @(#)ProductVersion:   5.0.5.83 @(#)ProductVersion:   5.0.5.83 @(#)ProductVersion:   5.0.5.83 @(#)ProductVersion:   5.0.5.83 @(#)ProductVersion:   5.0.5.83 @(#)ProductVersion:   5.0.5.83 @(#)ProductVersion:   5.0.5.83 C:\> 
end example

Installing IBM Directory Server v4.1.1 Fix Pack FP411W-02

Refer to 4.1.1, "Hardware and software configurations" on page 41 for URLs to obtain the Fix Packs.

Unzip the downloaded IDS-FP411W-02.zip file into a temporary directory. From the Services application (Start->Settings->Control panel->Administrative tools->Services), stop the following services:

  • Access Manager WebSEAL

  • Access Manager Policy Server

  • Access Manager Authorization Server

  • IBM Directory Server V4.1

C:\TEMP\IDS-FP411W-02 is the temporary directory where the zip file was extracted. After executing, you should be informed that 42 File(s) have been copied.

From a command prompt window, execute the following commands:

    cd C:\Program Files\IBM\LDAP\    xcopy /S/Y C:\TEMP\IDS-FP411W-02 . 

You can now start the service IBM Directory Server V4.1.

Installing Tivoli Access Manager Fix Pack 6

From the Services application (Start->Settings->Control panel->Administrative tools->Services), stop the following services:

  • Access Manager WebSEAL

  • Access Manager Policy Server

Installing Tivoli Access Manager Base Patch

Run the 4.1-TAM-FP06-WIN.exe file downloaded. This will launch the InstallShield program. In the InstallShield Welcome window, click Next. Click Yes to accept the license agreement. The setup program will then install the patches. When it finalizes, click Finish to close the InstallShield program.

Installing Tivoli Access Manager WebSEAL Patch

Run the 4.1-AWS-FP06-WIN.exe file downloaded. This will launch the InstallShield program. In the InstallShield Welcome window, click Next. Click Yes to accept the license agreement. The setup program will then install the patches. When it finalizes, click Finish to close the InstallShield program.

Restarting Tivoli Access Manager Services

You can now use the Services application (Start->Settings->Control panel->Administrative tools->Services) to start the Access Manager Auto-Start service and after a couple of minutes you will see that it has started the other Access Manager services. If it does not do so, you can start them individually.

4.5.6 Installing Tivoli Access Manager Java Runtime Environment

The software required for integration with Tivoli Access Manager is supplied with WebSphere Portal Server as optional modules (provided as Java class files). This integration is enabled by configuring WebSphere Portal Server to use these modules.

These modules have been written to utilize the Tivoli Access Manager Application Programming Interface (API) but are reliant on external support of this API. The support of this API is actually provided by the Runtime Environment components of Tivoli Access Manager. It is therefore necessary to install the Tivoli Access Manager Java Runtime Environment on the Application node.

TAM Java Runtime Environment installation program

Log in as the Administrator user and start Windows Explorer. Insert the CD labeled Tivoli Access Manager for e-business Base for Windows. Select the drive letter corresponding to the CD-ROM drive (in our environment, it is E:), navigate to the folder \Windows\PolicyDirector\Disk Images\Disk1\PDJRTE\Disk Images\Disk1 and launch the setup.exe file.

Select English as the setup language and click OK. Press Next in the Welcome window. Accept the license. Press Next to accept the default destination folder of C:\Program Files\Tivoli\Policy Director. Accept the settings by pressing Next. Setup starts copying the files. When it finishes, an Install Complete window appears in which you have to click Finish.

Installing Tivoli Access Manager Fix Pack on the application node

The WebSphere Portal and Tivoli Access Manager integration requires that we apply a TAM Fix Pack. For more information, see section 4.5.5, "Installing Fix Packs for Tivoli Access Manager" on page 108.

Run the downloaded Fix Pack archive file 4.1-TAM-FP06-WIN.exe. This will launch the InstallShield program. In the InstallShield Welcome window, click Next. Click Yes to accept the license agreement. The setup program will then install the patches. When it finalizes, click Finish to close the InstallShield program. You have now upgraded the Access Manager Java Runtime Environment.

4.5.7 Configuring Tivoli Access Manager Java Runtime Environment

One the Application node, open a command prompt and change to the directory C:\program files/websphere/appserver/bin. Run the setupCmdLine.bat file in this directory. Execute the command:

    path %PATH%;%WAS_HOME%\java\jre\bin 

Change to C:\Program Files\Tivoli\Policy Director\sbin. Run the pdjrtecfg.bat file as follows:

    pdjrtecfg.bat -action config -java_home "C:\program    files\websphere\appserver\java\jre" 

If you check the C:\program Files\websphere\appserver\java\jre directory, you will see a newly created folder called PolicyDirector.

Change to the C:\program files\websphere\appserver\java\jre\bin directory. Run the following Tivoli configuration command:

    java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master    -admin_pwd sah309r -appsvr_id m23x2896_amwps -port 7201 -mode remote    -policysvr m23caatk.itso.ral.ibm.com:7135:1 -authzsvr    m23caatk.itso.ral.ibm.com:7136:1 -cfg_file "C:\program    files\websphere\appserver\java\jre\PDperm.properties" -key_file "C:\program    files\websphere\appserver\java\jre\lib\security\PDperm.ks" -cfg_action    replace 

Important: 

The directory where the PDperm.properties is to be saved must be <was_root>\java\jre. Otherwise, when the class com.tivoli.mts.PDLoginModule (added in a later step) is called, it will not find this file.

You will receive an output message stating Configuration completed successfully.

If you happen to run into problems, which sometimes occurs, the command to undo the action is:

    java com.tivoli.pd.jcfg.SvrSslCfg -action unconfig -admin_id sec_master    -admin_pwd sah309r -appsvr_id m23x2896_amwps -policysvr    m23caatk.itso.ral.ibm.com:7135:1 -cfg_file "C:\program    files\websphere\appserver\java\jre\PDperm.properties" 

Important: 

In the above command, m23caatk is the Security node and m23x2896 is the Application node. Take care in typing this command. You will need to enter your parameters for your environment. There is no checking of any parameters by the Java program. If you type something wrong, you won't know until several steps later.

If you check the C:\program files\websphere\appserver\java\jre\lib\security directory, you will see that the PDperm.ks file has been created and in the C:\program files\websphere\appserver\java\jre directory, the PDperm.properties file has been created.

Note 

If the configuration of the AMJRTE is done before installing any Fix Pack then it is necessary to manually copy the updated .jar file from the default location c:\Program Files\Tivoli\Policy Director\java\export\pdjrte to the bc:\program files\websphere\appserver\java\jre\lib\ext folder.



 < Day Day Up > 



Secure Portal. Using Websphere Portal V5 and Tivoli Access Manager V4. 1
A Secure Portal Using Websphere Portal V5 and Tivoli Access Manager V4.1
ISBN: 073849853X
EAN: 2147483647
Year: 2003
Pages: 73
Authors: IBM Redbooks

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net