IBM Tivoli Access Manager for WebLogic Server: User s...

IBM Tivoli Access Managerfor WebLogic Server

User’s GuideVersion 3.9

GC32-0851-00

NoteBefore using this information and the product it supports, read the information in Appendix B, “Notices” on page 35.

Second Edition (April 2002)

This edition replaces SC32-0831-00

© Copyright International Business Machines Corporation 2002. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vWho should read this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vWhat this guide contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vPublications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

IBM Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viRelated publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiAccessing publications online. . . . . . . . . . . . . . . . . . . . . . . . . . . . . xOrdering publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xProviding feedback about publications. . . . . . . . . . . . . . . . . . . . . . . . . . x

Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xContacting customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiConventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Chapter 1. Introducing IBM Tivoli Access Manager for WebLogic Server . . . . . . . . 1Introducing Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Integrating Access Manager and WebLogic Server . . . . . . . . . . . . . . . . . . . . . . . 2

Using Access Manager authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 3Using Access Manager authorization . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2. Installing IBM Tivoli Access Manager for WebLogic Server . . . . . . . . . 5Supported platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Disk and memory requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Installation packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Software prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Prerequisites on Access Manager policy server and authorization server . . . . . . . . . . . . . . 6Prerequisites on Access Manager WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . 6Prerequisites on WebLogic Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Prerequisites on Access Manager runtime environment and Java runtime . . . . . . . . . . . . . . 7Optional use of Access Manager ADK . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Installing Access Manager for WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . 8Installing Access Manager for WebLogic on Solaris . . . . . . . . . . . . . . . . . . . . . 8Installing Access Manager for WebLogic on AIX . . . . . . . . . . . . . . . . . . . . . . 8Installing Access Manager for WebLogic on HP-UX . . . . . . . . . . . . . . . . . . . . . 9Installing Access Manager for WebLogic on Linux . . . . . . . . . . . . . . . . . . . . . 10Installing Access Manager for WebLogic on Windows . . . . . . . . . . . . . . . . . . . . 11

Configuring Access Manager for WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . 11Configuring a Custom Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Configuring a WebSEAL junction for the WebLogic Server. . . . . . . . . . . . . . . . . . . . 19Testing the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3. Using IBM Tivoli Access Manager for WebLogic Server . . . . . . . . . . 21Using the demonstration application . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Creating test users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Usage tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 4. Removing IBM Tivoli Access Manager for WebLogic Server . . . . . . . . 25Removing Access Manager for WebLogic on Solaris . . . . . . . . . . . . . . . . . . . . . . 25Removing Access Manager for WebLogic on Windows . . . . . . . . . . . . . . . . . . . . . 25Removing Access Manager for WebLogic on AIX . . . . . . . . . . . . . . . . . . . . . . . 26Removing Access Manager for WebLogic on HP-UX. . . . . . . . . . . . . . . . . . . . . . 26Removing Access Manager for WebLogic on Linux . . . . . . . . . . . . . . . . . . . . . . 27

© Copyright IBM Corp. 2002 iii

Appendix A. svrsslcfg reference. . . . . . . . . . . . . . . . . . . . . . . . . 29svrsslcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Appendix B. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

iv IBM Tivoli Access Manager for WebLogic Server: User’s Guide

Preface

Welcome to IBM® Tivoli® Access Manager for WebLogic Server (Access Managerfor WebLogic). This product extends IBM Tivoli Access Manager to supportapplications written for BEA™ WebLogic® Server.

Note: IBM Tivoli Access Manager is the new name of the previously releasedsoftware entitled Tivoli SecureWay® Policy Director. Also, for users familiarwith the Tivoli SecureWay Policy Director software and documentation, theterm management server is now referred to as policy server.

The IBM Tivoli Access Manager for WebLogic Server User’s Guide provides installation,configuration, and administration instructions for using Access Manager withWebLogic Server.

Who should read this guideThe target audience for this administration guide includes:v Security administratorsv Network system administratorsv IT architects

Readers should be familiar with:v Internet protocols, including HTTP, TCP/IP, file transfer protocol (FTP), and

telnetv Deployment and management of WebLogic Server systemsv Security management, including authentication and authorization

If you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

What this guide containsThis document contains the following chapters:v Chapter 1, “Introducing IBM Tivoli Access Manager for WebLogic Server”

Presents an overview of the authentication and authorization services providedby Access Manager for WebLogic.

v Chapter 2, “Installing IBM Tivoli Access Manager for WebLogic Server”Describes how to install and configure Access Manager for WebLogic.

v Chapter 3, “Using IBM Tivoli Access Manager for WebLogic Server”Describes how to use the demonstration application, and provides usage tips,troubleshooting information, and limitations.

v Chapter 4, “Removing IBM Tivoli Access Manager for WebLogic Server”Describes how to remove Access Manager for WebLogic.

© Copyright IBM Corp. 2002 v

PublicationsThis section lists publications in the Access Manager library and any other relateddocuments. It also describes how to access Tivoli publications online, how to orderTivoli publications, and how to make comments on Tivoli publications.

IBM Tivoli Access ManagerThe Access Manager library is organized into the following categories:v Release informationv Base informationv WebSEAL informationv Web security informationv Developer reference informationv Supplemental technical information

For additional sources of information about Access Manager and related topics, seethe following Web sites:

http://www.ibm.com/redbookshttps://www.tivoli.com/secure/support/documents/fieldguides

Release informationv IBM Tivoli Access Manager for e-business Read Me First

GI11-0918 (am39_readme.pdf)Provides information for installing and getting started using Access Manager.

v IBM Tivoli Access Manager for e-business Release Notes

GI11-0919 (am39_relnotes.pdf)Provides late-breaking information, such as software limitations, workarounds,and documentation updates.

Base informationv IBM Tivoli Access Manager Base Installation Guide

GC32-0844 (am39_install.pdf)Explains how to install, configure, and upgrade Access Manager software,including the Web portal manager interface.

v IBM Tivoli Access Manager Base Administrator’s Guide

GC23-4684 (am39_admin.pdf)Describes the concepts and procedures for using Access Manager services.Provides instructions for performing tasks from the Web portal managerinterface and by using the pdadmin command.

v IBM Tivoli Access Manager Base for Linux on zSeries™ Installation Guide

GC23-4796 (am39_zinstall.pdf)Explains how to install and configure Access Manager Base for Linux on thezSeries platform.

WebSEAL informationv IBM Tivoli Access Manager WebSEAL Installation Guide

GC32-0848 (amweb39_install.pdf)Provides installation, configuration, and removal instructions for the WebSEALserver and the WebSEAL application development kit.

vi IBM Tivoli Access Manager for WebLogic Server: User’s Guide

v IBM Tivoli Access Manager WebSEAL Administrator’s Guide

GC23-4682 (amweb39_admin.pdf)Provides background material, administrative procedures, and technicalreference information for using WebSEAL to manage the resources of yoursecure Web domain.

v IBM Tivoli Access Manager WebSEAL Developer’s Reference

GC23-4683 (amweb39_devref.pdf)Provides administration and programming information for the Cross-domainAuthentication Service (CDAS), the Cross-domain Mapping Framework (CDMF),and the Password Strength Module.

v IBM Tivoli Access Manager WebSEAL for Linux on zSeries Installation Guide

GC23-4797 (amweb39_zinstall.pdf)Provides installation, configuration, and removal instructions for WebSEALserver and the WebSEAL application development kit for Linux on the zSeriesplatform.

Web security informationv IBM Tivoli Access Manager for WebSphere Application Server User’s Guide

GC32-0850 (amwas39_user.pdf)Provides installation, removal, and administration instructions for AccessManager for IBM WebSphere® Application Server.

v IBM Tivoli Access Manager for WebLogic Server User’s Guide

GC32-0851 (amwls39_user.pdf)Provides installation, removal, and administration instructions for AccessManager for BEA WebLogic Server.

v IBM Tivoli Access Manager Plug-in for Edge Server User’s Guide

GC23-4685 (amedge39_user.pdf)Describes how to install, configure, and administer the plug-in for IBMWebSphere Edge Server.

v IBM Tivoli Access Manager Plug-in for Web Servers User’s Guide

GC23-4686 (amws39_user.pdf)Provides installation instructions, administration procedures, and technicalreference information for securing your Web domain using the plug-in for Webservers application.

Developer referencesv IBM Tivoli Access Manager Authorization C API Developer’s Reference

GC32-0849 (am39_authC_devref.pdf)Provides reference material that describes how to use the Access Managerauthorization C API and the Access Manager service plug-in interface to addAccess Manager security to applications.

v IBM Tivoli Access Manager Authorization Java Classes Developer’s Reference

GC23-4688 (am39_authJ_devref.pdf)Provides reference information for using the Java™ language implementation ofthe authorization API to enable an application to use Access Manager security.

v IBM Tivoli Access Manager Administration C API Developer’s Reference

GC32-0843 (am39_adminC_devref.pdf)

Preface vii

Provides reference information about using the administration API to enable anapplication to perform Access Manager administration tasks. This documentdescribes the C implementation of the administration API.

v IBM Tivoli Access Manager Administration Java Classes Developer’s Reference

SC32-0842 (am39_adminJ_devref.pdf)Provides reference information for using the Java language implementation ofthe administration API to enable an application to perform Access Manageradministration tasks.

v IBM Tivoli Access Manager WebSEAL Developer’s Reference

GC23-4683 (amweb39_devref.pdf)Provides administration and programming information for the Cross-domainAuthentication Service (CDAS), the Cross-domain Mapping Framework (CDMF),and the Password Strength Module.

Technical supplementsv IBM Tivoli Access Manager Performance Tuning Guide

GC43-0846 (am39_perftune.pdf)Provides performance tuning information for an environment consisting ofAccess Manager with IBM SecureWay Directory defined as the user registry.

v IBM Tivoli Access Manager Capacity Planning Guide

GC32-0847 (am39_capplan.pdf)Assists planners in determining the number of WebSEAL, LDAP, and backendWeb servers needed to achieve a required workload.

v IBM Tivoli Access Manager Error Message Reference

SC32-0845 (am39_error_ref.pdf)Provides explanations and recommended actions for the messages produced byAccess Manager.

The Tivoli Glossary includes definitions for many of the technical terms related toTivoli software. The Tivoli Glossary is available, in English only, at the followingWeb site:

http://www.tivoli.com/support/documents/glossary/termsm03.htm

Related publicationsThis section lists publications related to the Access Manager library.

IBM DB2 Universal DatabaseIBM DB2® Universal Database™ is required when installing IBM SecureWayDirectory, z/OS™, and OS/390® SecureWay LDAP servers. DB2 information isavailable at the following Web site:

http://www.ibm.com/software/data/db2/

IBM SecureWay DirectoryIBM SecureWay Directory, Version 3.2.2, is shipped on the IBM Tivoli AccessManager Base CD for your particular platform. If you plan to install the IBMSecureWay Directory server as your user registry, the following documents areavailable in the /doc/Directory path on the IBM Tivoli Access Manager Base CDfor your particular platform:v IBM SecureWay Directory Installation and Configuration Guide

SC32-0845 (aparent.pdf, lparent.pdf, sparent.pdf, wparent.pdf)

viii IBM Tivoli Access Manager for WebLogic Server: User’s Guide

Provides installation, configuration, and migration information for IBMSecureWay Directory components on AIX®, Linux, Solaris, and Microsoft®

Windows® operating systems.v IBM SecureWay Directory Release Notes

(relnote.pdf)Supplements IBM SecureWay Directory, Version 3.2.2, product documentationand describes features and functions made available to you in this release.

v IBM SecureWay Directory Readme Addendum

(addendum322.pdf)Provides information about changes and fixes that occurred after the IBMSecureWay Directory documentation had been translated. This file is in Englishonly.

v IBM SecureWay Directory Server Readme

(server.pdf)Provides a description of the IBM SecureWay Directory Server, Version 3.2.2.

v IBM SecureWay Directory Client Readme

(client.pdf)Provides a description of the IBM SecureWay Directory Client SDK, Version3.2.2. This software development kit (SDK) provides LDAP applicationdevelopment support.

v SSL Introduction and iKeyman User’s Guide

(gskikm5c.pdf)Provides information for network or system security administrators who plan toenable SSL communication in their Access Manager secure domain.

v IBM SecureWay Directory Configuration Schema

(scparent.pdf)Describes the directory information tree (DIT) and the attributes that are used toconfigure the slapd32.conf file. In IBM SecureWay Directory Version 3.2, thedirectory settings are stored using the LDAP Directory Interchange Format(LDIF) format in the slapd32.conf file.

v IBM SecureWay Directory Tuning Guide

(tuning.pdf)Provides performance tuning information for IBM SecureWay Directory. Tuningconsiderations for directory sizes ranging from a few thousand entries tomillions of entries are given where applicable.

For more information about IBM SecureWay Directory, see the following Web site:

http://www.software.ibm.com/network/directory/library/

IBM WebSphere Application ServerIBM WebSphere Application Server Standard Edition, Version 4.0.2, is installedwith the Web portal manager interface. For information about IBM WebSphereApplication Server, see the following Web site:

http://www.ibm.com/software/webservers/appserv/infocenter.html

Preface ix

Accessing publications onlinePublications in the product libraries are included in Portable Document Format(PDF) on the product CD. To access these publications using a Web browser, openthe infocenter.html file, which is located in the /doc directory on the product CD.

When IBM publishes an updated version of one or more online or hardcopypublications, they are posted to the Tivoli Information Center. The TivoliInformation Center contains the most recent version of the publications in theproduct library in PDF or HTML format, or both. Translated documents are alsoavailable for some products.

You can access the Tivoli Information Center and other sources of technicalinformation from the following Web site:

http://www.tivoli.com/support/documents/

Information is organized by product, including release notes, installation guides,user’s guides, administrator’s guides, and developer’s references.

Note: If you print PDF documents on other than letter-sized paper, select the Fit topage check box in the Adobe Acrobat Print dialog (which is available whenyou click File → Print) to ensure that the full dimensions of a letter-sizedpage are printed on the paper that you are using.

Ordering publicationsYou can order many Tivoli publications online at the following Web site:

http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968v In other countries, for a list of telephone numbers, see the following Web site:

http://www.tivoli.com/inside/store/lit_order.html

Providing feedback about publicationsWe are very interested in hearing about your experience with Tivoli products anddocumentation, and we welcome your suggestions for improvements. If you havecomments or suggestions about our products and documentation, contact us in oneof the following ways:v Send an e-mail to [email protected] Complete our customer feedback survey at the following Web site:

http://www.tivoli.com/support/survey/

AccessibilityAccessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

x IBM Tivoli Access Manager for WebLogic Server: User’s Guide

Contacting customer supportIf you have a problem with any Tivoli product, you can contact Tivoli CustomerSupport. See the Tivoli Customer Support Handbook at the following Web site:

http://www.tivoli.com/support/handbook/

The handbook provides information about how to contact Tivoli CustomerSupport, depending on the severity of your problem, and the followinginformation:v Registration and eligibilityv Telephone numbers and e-mail addresses, depending on the country in which

you are locatedv What information to gather before contacting support

Conventions used in this bookThis guide uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Typeface conventionsThe following typeface conventions are used in this book:

Bold Command names and options, keywords, and other informationthat you must use literally appear in bold.

Italic Variables, command options, and values you must provide appearin italics. Titles of publications and special words or phrases thatare emphasized also appear in italics.

Monospace Code examples, command lines, screen output, file and directorynames, and system messages appear in monospace font.

Preface xi

xii IBM Tivoli Access Manager for WebLogic Server: User’s Guide

Chapter 1. Introducing IBM Tivoli Access Manager forWebLogic Server

IBM Tivoli Access Manager for WebLogic Server (Access Manager for WebLogic) isan extension to IBM Tivoli Access Manager (Access Manager) that implements anAccess Manager Custom Realm for BEA WebLogic Server 6.1. The Custom Realmprovides a user registry that is administered by Access Manager. Access Manageruses group memberships in the user registry to affect authorization decisions madeby WebLogic Server. The Custom Realm can also be used with IBM Tivoli AccessManager WebSEAL (WebSEAL) to support end-user single sign-on.

Access Manager for WebLogic enables WebLogic Server applications to use AccessManager security without requiring any coding or deployment changes.

Introducing Access ManagerAccess Manager for WebLogic implements a Custom Realm using the securityservices provided by an Access Manager secure domain. The Access Managersecure domain must be deployed prior to installation of Access Manager forWebLogic.

Users who are new to Access Manager should review the Access Manager securitymodel before deploying an Access Manager secure domain. A brief summary of theAccess Manager security model is presented here.

Access Manager is a complete authorization and network security policymanagement solution that provides end-to-end protection of resources overgeographically dispersed intranets and extranets.

Access Manager features state-of-the-art security policy management. In addition,Access Manager supports authentication, authorization, data security, and resourcemanagement capabilities. You use Access Manager in conjunction with standardInternet-based applications to build highly secure and well-managed intranets andextranets.

At its core, Access Manager provides:v An authentication framework

Access Manager supports a wide range of authentication mechanisms.v An authorization framework

Access Manager provides a framework for authorization policy management.Authorization policy is managed centrally and distributed automatically toaccess enforcement points across the enterprise, including the Access Managerservers. The Access Manager authorization service provides permit and denydecisions on access requests for native Access Manager servers and third-partyapplications.

WebSEAL is the Access Manager resource security manager for Web-basedresources. WebSEAL is a high performance, multi-threaded Web server that appliesfine-grained security to protected web resources. WebSEAL can provide singlesign-on solutions and incorporate back-end Web application server resources intoits security policy.

© Copyright IBM Corp. 2002 1

You can learn more about Access Manager, including information necessary tomake deployment decisions, by reviewing the documentation distributed with IBMTivoli Access Manager Version 3.9. Start with the following guides:v IBM Tivoli Access Manager Base Installation Guide, GC32-0735

This guide describes how to plan, install, and configure an Access Managersecure domain. A series of easy installation scripts enable you to quickly deploya fully functional secure domain. These scripts are very useful when prototypinga secure domain that meets your security policy requirements.

v IBM Tivoli Access Manager Base Administration Guide, GC32-0680This document presents an overview of the Access Manager security model formanaging protected resources. This guide also describes how to configure theAccess Manager servers that make access control decisions. In addition, detailedinstructions describe how to perform important tasks such as declaring securitypolicies, defining protected object namespaces, and administering user andgroup profiles.

v IBM Tivoli Access Manager WebSEAL Administration Guide, GC32-0684This guide provides a comprehensive set of procedures and referenceinformation for managing resources in a secure Web domain. The guide alsopresents overview and concept material that describes the wide range ofWebSEAL functionality.

v IBM Tivoli Access Manager Authorization C API Developer Reference, GC32-0813This guide describes how to use the Access Manager authorization API to addsecurity to third party applications. This document includes a description of thesvrsslcfg utility. This utility is used during the configuration of Access Managerfor WebLogic.

The Access Manager documentation is included on the IBM Tivoli Access ManagerVersion 3.9 CD-ROMs, and is also available from the Tivoli Customer Support website. See “Accessing publications online” on page x.

Integrating Access Manager and WebLogic ServerThe integration of Access Manager with WebLogic Server 6.1 enables WebLogicapplications to take advantage of the following Access Manager features:v Centralized access control of WebLogic resources in the following way:

– Changing a user’s group memberships alters their access privileges toWebLogic’s Java 2 Enterprise Edition (J2EE) resources in accordance with thegroup-to-role mappings contained in the deployment descriptors for eachWebLogic Server application.

– WebSEAL controls access to Uniform Resource Locators (URLs) thatcorrespond to objects in the Access Manager policy database. These can bestatic URL strings or can be represented by pattern matching.

Integrated authorization is achieved by WebLogic Server’s use of the AccessManager for WebLogic Custom Realm to determine which users belong to thegroups that are mapped to the J2EE application’s security roles. This means thatan Access Manager administrator can affect the authorization decisions ofWebLogic Server through group membership within the Access Managerregistry.

v Centralized user registry used by the Access Manager policy server andWebLogic Server. The Access Manager Version 3.9 product distribution includesIBM SecureWay Directory 3.2.2. The Access Manager for WebLogic Custom

2 IBM Tivoli Access Manager for WebLogic Server: User’s Guide

Realm allows this registry, as well as other third-party registries that aresupported by Access Manager Version 3.9, to be used as the WebLogic registry.

v Single sign-on through the use of WebSEAL.Single Sign-on is achieved by combining the one-time user authentication ofWebSEAL with the validation of user identity by the Access Manager forWebLogic Custom Realm.This allows many authentication mechanisms, including certificates, to be usedwithout any impact to the target application.The WebLogic server’s trust of WebSEAL is achieved through a combination of aWebSEAL junction and the use of the Access Manager for WebLogic CustomRealm. A junction is a network connection between a WebSEAL server and anapplication server, such that:1. There is trust between WebSEAL and the application server.2. WebSEAL protects both its own resources and the resources on the

junctioned application server.

Using Access Manager authenticationFigure 1 displays the model for the processing of requests for access to protectedresources. Requests can come from either external users or internal users.

Authenticating external users1. An external user requests access to a protected resource. The request is received

by WebSEAL before entering the secure network of the enterprise. (See Figure1, arrow 1A)

2. WebSEAL authenticates the user in the Access Manager secure domain. (SeeFigure 1, arrow 2)WebSEAL supports the following authentication methods: username/password,certificates, username and RSA SecureID, or a custom authenticationmechanism.

InternalBrowser

WebLogic Server 6.1

J2EEApplicationDeploymentDescriptors

WebLogicUser

Authentication

Access ManagerCustom Realm

for WebLogic Server

WebLogicAccess

Managers

ExternalBrowser

AccessManager

WebSEAL

Access ManagerPolicy Server

Policy Database

1A

1B

2

3

4

5

B

A

User Registry

Figure 1. Access Manager provides single sign-on authentication and a Custom Realm forauthorization decisions

Chapter 1. Introducing IBM Tivoli Access Manager for WebLogic Server 3

Once authenticated, WebSEAL applies its own authorization decision based onthe requested URL and the Access Manager access policy. WebSEAL can applyconsiderations such as account validity, time-of-day, and authenticationmechanism.

3. Once authorized, WebSEAL forwards the request to the WebLogic server. Therequest includes the external username and a special password within the basicauthentication header. The special password belongs to the configured_user, andallows the Access Manager for WebLogic Custom Realm to confirm WebSEALas the origin of the request. (See Figure 1, arrow 3)For more information about the configured_user, see “Configuring a CustomRealm” on page 12.

4. The WebLogic server transparently passes the authenticated user identity andpassword to the Access Manager Custom Realm. (See Figure 1, arrow 4)

5. The Access Manager Custom Realm uses Access Manager authenticationservices to verify that the password provided by WebSEAL is correct for theconfigured_user described above. That is, this password provides the basis oftrust that the request’s origin is WebSEAL. (See Figure 1, arrow 5)

The request is now ready for authorization.

Authenticating internal usersFigure 1 also displays the model for the processing of requests for access toprotected resources by internal users that do not go through a WebSEAL junction:1. (1B) Internal user sends request for access to a protected resource. (See Figure

1, arrow 1B)2. The WebLogic user authentication module sends the user identity to the Access

Manager Custom Realm. (See Figure 1, arrow 4)3. The Access Manager Custom Realm sends the authentication request to the

user registry. (See Figure 1, arrow 5)If authentication is successful, the Access Manager Custom Realm returns theusername to WebLogic Server, as the authenticated user.

The request is now ready for authorization.

Using Access Manager authorizationThe authorization process occurs as follows:1. When a request for a J2EE resource is received by WebLogic Server, it checks

the relevant deployment descriptor information to determine if access to theresource is restricted to certain roles. (See Figure 1, arrow A)

2. If the request requires the user to assume a role, the WebLogic Server queriesthe Access Manager Custom Realm to determine whether the requesting user isa member of any of the groups that are mapped to the role. (See Figure 1,arrow B)

3. The Access Manager Custom Realm consults the Access Manager authorizationserver to determine if the current user is a member of the group. If the user is amember of a group that is mapped to a permitted role, access is granted.Otherwise, access is denied. (See Figure 1, arrow 5)


Chapter 2. Installing IBM Tivoli Access Manager for WebLogicServer

This chapter contains the following topics:v “Supported platforms”v “Installation packages” on page 6v “Software prerequisites” on page 6v “Installing Access Manager for WebLogic” on page 8v “Configuring Access Manager for WebLogic” on page 11v “Configuring a Custom Realm” on page 12v “Configuring a WebSEAL junction for the WebLogic Server” on page 18v “Testing the configuration” on page 19

Supported platformsIBM Tivoli Access Manager for WebLogic Server (Access Manager for WebLogic) issupported on the following platforms:

Operating System Release WebLogic Server Release

AIX 4.3.3 AIX 5L WebLogic Server 6.1, with Service Pack 1

Solaris 7 and 8

HP-UX 11.0

Microsoft Windows 2000 Advanced Server,with Service Pack 2

Microsoft Windows NT with Service Pack6A

Red Hat Linux 7.1, kernel 2.4.2-2

WebLogic Server 6.1, with Service Pack 2

Disk and memory requirementsAccess Manager for WebLogic has the following disk and memory requirements:v 64 MB RAM

This is the amount of memory needed in addition to the memory requirementsspecified by WebLogic Server and by any other Access Manager components.The additional 64 MB RAM is used to optimize caching performance.The amount of memory needed by other Access Manager components willdepend on which Access Manager components are installed on the host system.For more information, see the IBM Tivoli Access Manager Base Installation Guide

v 250 KB (kilobytes) disk spaceThis requirement is in addition to the disk space required by WebLogic Serverand by any other Access Manager components.


Installation packagesThe installation package is available as a software download from the followingURL:http://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.html

A valid login and password is required to access the Tivoli Customer Supportsoftware download site.

Software prerequisitesSuccessful installation of Access Manager for WebLogic requires the prerequisitesdescribed in the following sections:v “Prerequisites on Access Manager policy server and authorization server”v “Prerequisites on Access Manager WebSEAL”v “Prerequisites on WebLogic Server” on page 7v “Prerequisites on Access Manager runtime environment and Java runtime” on

page 7

Prerequisites on Access Manager policy server andauthorization server

An Access Manager Version 3.9 secure domain must be installed and configuredprior to installing Access Manager for WebLogic.

The Access Manager secure domain is established when you install the IBM TivoliAccess Manager policy server. This policy server is distributed on the IBM TivoliAccess Manager Base Version 3.9 CD for your operating system.

Typically, the Access Manager policy server is installed on a different system thanthe system that hosts Access Manager for WebLogic.

Access Manager supports two different modes of authorization: remote mode andlocal mode. Access Manager for WebLogic is typically run in remote mode. Thisrequires that Access Manager authorization server must be installed on anothersystem in the Access Manager secure domain. For a complete discussion of remotemode, see the IBM Tivoli Access Manager Base Administration Guide.

See the IBM Tivoli Access Manager Base Installation Guide for installation andconfiguration instructions for Access Manager policy server and Access Managerauthorization server. This document is included on the IBM Tivoli Access ManagerBase Version 3.9 CD for your operating system.

Prerequisites on Access Manager WebSEALAccess Manager WebSEAL provides web-based security services that can be usedby Access Manager for WebLogic. When combined with WebSEAL junctions,Access Manager for WebLogic can be used to provide a WebSEAL to WebLogicServer single sign-on solution.

Access Manager WebSEAL is typically installed on a system other than the systemthat hosts Access Manager for WebLogic.


Access Manager WebSEAL requires that Access Manager policy server be installedand configured.

For complete WebSEAL installation instructions, see the IBM Tivoli Access ManagerWebSEAL Installation Guide. This guide is distributed on the IBM Tivoli AccessManager Web Security Version 3.9 CD.

Prerequisites on WebLogic ServerWebLogic Server 6.1 must be installed and configured on the system that will hostAccess Manager for WebLogic. WebLogic Server 6.1 is currently installed without adefault Custom Realm and is launched using the startWebLogic command.

WebLogic Server should be running when Access Manager for WebLogic isinstalled. To start WebLogic Server, use startWebLogic command.

WebLogic Server is distributed with the necessary Java Runtime Environment(JRE). Access Manager for WebLogic uses this same JRE. Successful installation ofWebLogic Server satisfies the Access Manager for WebLogic prerequisite for a JRE

IBM Java Runtime Environment Version 1.3 on AIXOn AIX systems, WebLogic Server 6.1 requires IBM Java Runtime Environment(JRE) Version 1.3. WebLogic Server 6.1 distributes this JRE, and installs it duringthe WebLogic Server installation. Access Manager for WebLogic uses this sameversion of the JRE.

Access Manager for WebLogic uses Java Native Interface (JNI) code. Ensure thatthe AIX environment is configured as described in:/BEA_installation_directory/jdk130/README.HTML

Prerequisites on Access Manager runtime environment andJava runtime

The following components from the Access Manager Base must be installed on thesystem that will host Access Manager for WebLogic:v Access Manager Version 3.9 runtime environmentv Access Manager Version 3.9 Java runtime

The Access Manager secure domain must be established prior to installing thesecomponents on the system that will host Access Manager for WebLogic.

The Access Manager runtime environment provides necessary libraries andconfiguration information to enable the host system to access the secure domain.The Access Manager Java runtime provides Java-based administration facilities.

The Access Manager runtime environment and Access Manager Java runtime aredistributed on the IBM Tivoli Access Manager Base CD for each supportedoperating system. For installation instructions, see the IBM Tivoli Access ManagerBase Installation Guide.

Optional use of Access Manager ADKThe Access Manager ADK is optional but is recommended. The Access ManagerADK contains a demonstration application and a sample authorization APIapplication configuration file. You can use this application and configuration file totest that the authorization API is correctly configured.

Chapter 2. Installing IBM Tivoli Access Manager for WebLogic Server 7

Note, however, that Access Manager for WebLogic ships a default configurationfile called PDRealm.conf. You can use this configuration file to verify theauthorization API configuration, instead of using the sample Authorization APIconfiguration file supplied in the ADK. Thus the Access Manager ADK is optional.

The Access Manager ADK is distributed on the IBM Tivoli Access Manager BaseCD-ROM for each supported operating system. For installation instructions, see theIBM Tivoli Access Manager Base Installation Guide.

Installing Access Manager for WebLogicComplete the instructions in the section for your operating system:v “Installing Access Manager for WebLogic on Solaris”v “Installing Access Manager for WebLogic on AIX”v “Installing Access Manager for WebLogic on HP-UX” on page 9v “Installing Access Manager for WebLogic on Linux” on page 10v “Installing Access Manager for WebLogic on Windows” on page 11

Installing Access Manager for WebLogic on SolarisThe Access Manager for WebLogic installation separates file extraction frompackage configuration. Use pkgadd to install software packages on Solaris. Thenconfigure Access Manager manually.

Note: If you have already installed and configured Access Manager for WebLogicand need to reinstall it, you must first unconfigure and remove it. See“Removing Access Manager for WebLogic on Solaris” on page 25.

To install Access Manager for WebLogic on Solaris complete the followinginstructions:1. Log in as user root.2. Verify that the software prerequisites have been satisfied. See “Software

prerequisites” on page 6.3. Download the Access Manager for WebLogic on Solaris installation package.

See “Installation packages” on page 6.4. Unpack the distribution files as specified in the README file that accompanies

the download packages. Place the files in a temporary directory.5. Change directory to the temporary directory. Enter the following command to

install the Access Manager for WebLogic package:# pkgadd -d . PDWLS

When prompted to continue, type y and press Enter. Files are extracted fromthe CD-ROM and installed on the hard disk. A message appears indicating thatinstallation of the Access Manager package was successful. The pkgadd utilityexits.

6. Next, configure Access Manager for WebLogic. Go to: “Configuring AccessManager for WebLogic” on page 11.

Installing Access Manager for WebLogic on AIXThe Access Manager for WebLogic installation separates file extraction frompackage configuration. Use SMIT to install software packages on AIX. Thenconfigure Access Manager for WebLogic manually.


Note: If you have already installed and configured Access Manager for WebLogicand need to reinstall it, you must first unconfigure and remove the AccessManager for WebLogic package. See “Removing Access Manager forWebLogic on AIX” on page 26.

To install Access Manager for WebLogic on AIX complete the followinginstructions:1. Log in as root.2. Verify that the software prerequisites have been satisfied. See “Software

prerequisites” on page 6.3. Download the Access Manager for WebLogic on AIX installation package. See

“Installation packages” on page 6.4. Enter the following command at a shell prompt:

# smit

The SMIT utility starts.5. Select Software Installation and Maintenance. Select Install and Update

Software.v On AIX 4.3 systems, select Install and Update Software from LATEST

Available Software.v On AIX 5L systems, select Install Software.

6. When prompted for input device, enter the location where the installationimages have been placed.

7. Click the List button for SOFTWARE to install.A Multi-select List window displays the list of IBM Tivoli Access Managersoftware packages.

8. Select the Access Manager for WebLogic package (PDWLS). Click OK.9. The Install and Update Software from LATEST Available Software dialog box

appears.10. Verify that the default value of yes is present in the field labeled

AUTOMATICALLY install requisite software.11. Set other fields to values appropriate to your installation. In most cases, you

can accept the default values. Click OK.12. A message box appears asking if you are sure you want to install this

package. Click OK.The package files are installed. Several status messages are displayed. A finalstatus message indicates success upon completion of file extraction.

13. Click Done. Click Cancel to exit SMIT.14. Next, configure Access Manager for WebLogic. Go to: “Configuring Access

Manager for WebLogic” on page 11.

Installing Access Manager for WebLogic on HP-UXThe Access Manager for WebLogic installation separates file extraction frompackage configuration. Use swinstall to install software packages on HP-UX. Thenconfigure Access Manager for WebLogic manually.

Note: If you have already installed and configured Access Manager for WebLogicand need to reinstall it, you must first unconfigure and remove it. See“Removing Access Manager for WebLogic on HP-UX” on page 26.

To install a Access Manager for WebLogic on HP-UX, complete the following steps:


1. Log in as user root.2. Verify that the software prerequisites have been satisfied. See “Software

prerequisites” on page 6.3. Download the Access Manager for WebLogic on HP-UX installation package.

See “Installation packages” on page 6.4. Unpack the distribution files as specified in the README file that accompanies

the download packages. Place the files in a temporary directory.5. Enter the following command to install the Access Manager for WebLogic

package:# swinstall -s /temp_directory PDWLS

A message appears indicating that the analysis phase has succeeded. Anothermessage appears indicating that the execution phase is beginning. Files areextracted from the CD-ROM and installed on the hard disk. A message appearsindicating that the execution phase has succeeded. The swinstall utility exits.


Installing Access Manager for WebLogic on LinuxThe Access Manager for WebLogic installation separates file extraction frompackage configuration. Use rpm to install software packages on Linux. Thenconfigure Access Manager for WebLogic manually.

Note: If you have already installed and configured Access Manager for WebLogicand need to reinstall it, you must first unconfigure and remove it. See“Removing Access Manager for WebLogic on Linux” on page 27.

To install Access Manager for WebLogic on Linux, complete the following steps:1. Log in as user root.2. Verify that the software prerequisites have been satisfied. See “Software

prerequisites” on page 6.3. Set the following environment variable:

# export LD_PRELOAD=/usr/lib/libstdc++-libc6.1-2.so.3:/usr/lib/libstdc++-3-libc6.2-2-2.10.0.so

Note: You must set this environment variable to avoid a conflict between theversions of the C++ libraries used by Access Manager and the IBMGlobal Security Toolkit.

4. Download the Access Manager for WebLogic on Linux installation package. See“Installation packages” on page 6.

5. Unpack the distribution files as specified in the README file that accompaniesthe download packages. Place the files in a temporary directory.

6. Enter the following command to install the Access Manager for WebLogicpackage:# rpm -i PDWLS-PD-3.9.0-0.i386.rpm

When prompted to continue, type y and press Enter. Files are extracted andinstalled on the hard disk. The rpm utility exits.



Installing Access Manager for WebLogic on WindowsThe Access Manager for WebLogic installation separates file extraction frompackage configuration. Use an InstallShield setup.exe to install the Access Managerfor WebLogic files. Next, configure Access Manager for WebLogic manually.

Note: If you have already installed and configured Access Manager for WebLogicand need to reinstall it, you must first unconfigure and remove it. See“Removing Access Manager for WebLogic on Windows” on page 25.

To install and configure Access Manager for WebLogic on Windows complete thefollowing instructions:1. Log in to the Windows domain as a user with Windows administrator

privileges.2. Verify that the software prerequisites have been satisfied. See “Software

prerequisites” on page 6.3. Download the Access Manager for WebLogic on Windows installation

package. See “Installation packages” on page 6.4. Unpack the distribution files as specified in the README file that

accompanies the download packages. Place the files in a temporary directory.5. Run the Access Manager for WebLogic InstallShield setup program by

double-clicking on the setup.exe file.The Choose Setup Language dialog box appears.

6. Select the appropriate language and click OK.The InstallShield program starts and the Welcome dialog box appears.

7. Click Next.The License Agreement dialog box appears.

8. Click Yes to accept the License Agreement.The Choose Destination Location dialog box appears.

9. Accept the default or specify an alternative location. Click Next.The files are extracted to the disk. A message appears indicating that the fileshave been installed.

10. Click Finish to exit the setup program.11. Next, configure Access Manager for WebLogic. Go to: “Configuring Access

Manager for WebLogic”.

Configuring Access Manager for WebLogicAccess Manager for WebLogic must be registered with the Access Manager securedomain as an Access Manager authorization API application.

Access Manager for WebLogic includes a sample configuration file, PDRealm.conf.This file is distributed in the etc directory located in the Access Manager forWebLogic installation directory.

To configure Access Manager for WebLogic into the Access Manager securedomain, complete the following steps.1. Verify that the following Access Manager Base components have been installed

and configured:v Access Manager Base runtime environmentv Access Manager Base Java runtime


For more information see “Software prerequisites” on page 6.2. Copy the sample configuration file, PDRealm.conf, to a directory of your choice.

For example, if you create a directory PDRealm under the WebLogic Serverinstallation directory, use the following command (entered on one continuousline) to copy the configuration file:v UNIX systems:

# cp /Access_Manager_install_directory/etc/PDRealm.conf \/WebLogic_Server_install_directory/PDRealm/PDRealm.conf

v Windows systems:MSDOS> copy \Access_Manager_install_directory\etc\PDRealm.confC:\WebLogic_install_directory\PDRealm\PDRealm.conf

3. Enter the following svrsslcfg command (as one continuous command line):UNIX systems:svrsslcfg -config -f /opt/bea/pdwlsrealm/PDRealm.conf-d /opt/bea/pdwlsrealm -n pdwlsrealm -s remote-P sec_master_password -S pdwlsrealm_password -r 0

Windows systems:svrsslcfg -config -f c:\bea\pdwlsrealm\PDRealm.conf-d c:\bea\pdwlsrealm -n pdwlsrealm -s remote-P sec_master_password -S pdwlsrealm_password -r 0

This example invocation of svrsslcfg accomplishes the following tasks:v Creates a user called pdwlsrealm. This user identity will be used by the

application when communicating over SSL with the Access Manager policyserver.

v Creates an SSL key file for that userv Adds the user to the remote-acl-users group (based on the -s remote option)v Modifies settings in the specified configuration file PDRealm.conf. Note that

the absolute pathname of the configuration file must be supplied to the -foption.

For more information about svrsslcfg, see the reference page “svrsslcfg” onpage 30.

4. Verify that you can contact the Access Manager policy server by issuing thecommand:pdadmin> server list

5. Continue to the next section: “Configuring a Custom Realm”.

Configuring a Custom RealmComplete the following steps on the system that hosts the WebLogic Server:1. Stop the WebLogic server.2. Add the following file names to the CLASSPATH variable of the startWebLogic

command.v UNIX systems:

/opt/pdwls/lib/PDWASAuthzManager.jar/opt/pdwls/lib/pdAuthzn.jar/opt/pdwls/lib/PDRealm.jar

v Windows systems:C:\Progra~1\Tivoli\pdwls\lib\PDWASAuthzManager.jarC:\Progra~1\Tivoli\pdwls\lib\pdAuthzn.jarC:\Progra~1\Tivoli\pdwls\lib\PDRealm.jar


The startWebLogic command is located in the directory of the installed domainof the WebLogic Server. In a standard installation this is:

(Windows) C:\bea\wlserver6.1\config\mydomain(UNIX) /bea/wlserver6.1/config/mydomain

3. Complete the instructions in this step to ensure that the WebLogic Serverloads the correct Java classes.CAUTION:You must complete this step or WebLogic Server will not restart.

a. Remove the Access Manager Base Java runtime component files from thelibrary extensions directory for the Java Runtime (JRE). The libraryextensions directory is:UNIX: /installation_directory/jre/lib/extWindows: C:\installation_directory\jre\lib\ext

Remove the following files from the library extensions directory:PD.jarUS_export_policy.jaribmjcefw.jaribmjceprovider.jaribmjsse.jaribmpkcs.jarjaas.jarlocal_policy.jar

Note: These files were copied to this directory during the configuration ofthe Access Manager Base Java runtime. You are removing a copy ofthe files. You are not removing the original files.

b. Add the following entries to the CLASSPATH variable defined in thestartWebLogic script:v UNIX systems:/Access_Manager_install_dir/java/export/pdjrte/PD.jar/Access_Manager_install_dir/java/export/pdjrte/US_export_policy.jar/Access_Manager_install_dir/java/export/pdjrte/ibmjcefw.jar/Access_Manager_install_dir/java/export/pdjrte/ibmjceprovider.jar/Access_Manager_install_dir/java/export/pdjrte/ibmjsse.jar/Access_Manager_install_dir/java/export/pdjrte/ibmpkcs.jar/Access_Manager_install_dir/java/export/pdjrte/jaas.jar/Access_Manager_install_dir/java/export/pdjrte/local_policy.jar

v On Windows systems:C:\Progra~1\Tivoli\Policy~1\java\export\pdjrte\PD.jarC:\Progra~1\Tivoli\Policy~1\java\export\pdjrte\US_export_policy.jarC:\Progra~1\Tivoli\Policy~1\java\export\pdjrte\ibmjcefw.jarC:\Progra~1\Tivoli\Policy~1\java\export\pdjrte\ibmjceprovider.jarC:\Progra~1\Tivoli\Policy~1\java\export\pdjrte\ibmjsse.jarC:\Progra~1\Tivoli\Policy~1\java\export\pdjrte\ibmpkcs.jarC:\Progra~1\Tivoli\Policy~1\java\export\pdjrte\jaas.jarC:\Progra~1\Tivoli\Policy~1\java\export\pdjrte\local_policy.jar

4. If you are using the default language (English) skip this step.If you are using a language pack to support a language other than the default(English), you must add the following path to the CLASSPATH defined in thestartWebLogic script:v UNIX systems:

/opt/pdwls/nls/java


v Windows systems:C:\Progra~1\Tivoli\pdwls\nls\java

Note: The addition of this directory will enable access to the resource bundlesthat are installed in /opt/pdwls/nls/java/com/tivoli/pdwls/nls/ bythe language pack installation.

5. If you do not want to use WebSEAL to provide single sign-on capability, skipthis step.If you want to use WebSEAL to provide single sign-on capability, create theWebSEAL configured_user using the Access Manager Web portal manager orthe Access Manager utility pdadmin.

The configured_user is a special Access Manager user that is used inorder to form a trust relationship between WebSEAL and WebLogic Server. Thename of this user can be any valid Access Manager user name.

For example, if configured_user is websealsso and the password for websealssois pdwebwlssso, enter the following pdadmin commands:pdadmin> user create websealsso cn=websealsso, o=ibm,c=auwebsealsso websealsso pdwebwlssso

pdadmin> user modify websealsso account-valid yes

For optimum security, protect the configured_user password.Change the password at regular intervals. Use of the Access Manager randompassword generator is recommended:

UNIX: /opt/PolicyDirector/sbin/genpass

6. Use pdadmin to create the pdadmin_context_user.For example, the following command creates a user:pdadmin> user create pdadmin_context_usercn=pdadmin_context_user,o=ibm,c=aupdadmin_context_user pdadmin_context_userpdadmin_context_user_password iv-admin

The pdadmin_context_user is the name of the user that will be usedto create a pdadmin context. This is the context that the CustomRealm uses with the Access Manager administration API.

This user must be in the iv-admin user group, or be delegatedenough permission to be able to create, delete, modify, and list users and groups.You can do this by giving the user the following permissions on an accesscontrol list (ACL) attached to the /Management object:

TcmdbsvatNWA

The name of the default ACL attached to the /Management object isdefault-management

7. Use pdadmin to activate the new pdadmin_context_user account. For example:pdadmin> user modify pdadmin_context_user account-valid yes


8. Start the WebLogic server.9. Launch the WebLogic Server console in a browser. This can be done by

accessing the following URL:http://WebLogic_Server_host:WebLogic_Server_listening_port/console

WebLogic_Server_host is the hostname of the WebLogic Server system.

WebLogic_Server_listening_port is the port on which the WebLogic Server is listening.

10. Click Security -> Realms -> Configure a new Custom Realm. Specify thefollowing values:v Name: PDRealm

PDRealm is the name of the Access Manager Custom Realm that will beadded to WebLogic Server. This name can be anything you choose.

v Realm Class Name: com.tivoli.pdwls.realm.PDRealmv Enter the appropriate configuration data.

Access Manager for WebLogic includes an example text file that contains allof the necessary configuration settings. You can copy this file into theWebLogic console window and modify the values to fit your environment.The sample text file is in the following location:– UNIX systems:

/Access_Manager_install_directory/sbin/DefaultConfig.txt

– Windows systems:C:\Access_Manager_install_directory\sbin\DefaultConfig.txt

The following table describes the properties that are included in the sampleconfiguration file. Use the definitions in the following table to help youdetermine what these values should be in your environment.

Table 1. Custom Realm property settings

Realm Property: webseal.sso.configuredValid Values: true or false

Description: Defines whether WebSEAL will be configured and determines if the Access ManagerCustom Security Realm will attempt to perform single sign-on.

Realm Property: pdadmin.user.nameValid Values: pdadmin_context_user

Description: The pdamin.user.name is the pdadmin_context_userand is the name of the user that will be used to create a pdadmin context. This is thecontext that the Custom Realm uses with the Access Manager administration API. This user namewas defined in a previous step in these configuration instructions.

Realm Property: pdadmin.passwordValid Values: pdadmin_context_user_password

Description: The password for the pdadmin.user.name. This shouldmatch the password defined above in a previous step in these configuration instructions.


Table 1. Custom Realm property settings (continued)

Realm Property: pdrealm.registry.listingValid Values: true or false

Description: Defines whether the Access Manager Custom Realm should list usersand groups, including group memberships, to the WebLogic Server console application. This should beset to false in production environments. Set it to true only in a test environment.

Realm Property: connection.poolValid Values: 1 -n

Description: Where n is an integer defining the number of Realm objects to instantiatein the Realm pool.

Realm Property: pdrealm.tracingValid Values: true or false

Description: Turn Access Manager Realm tracing on or off. Trace will be sent to theWebLogic Server log.

Realm Property: wls.admin.userValid Values: configured_user

Description: The special user that is configured in the Access Manager Custom Realmconfiguration data in order to form a trust relationship between WebSEAL and WebLogic Server.This entry must match the configured_user identity that you created in a previous stepin these configuration instructions.

Realm Property: group.dnValid Values: A valid Distinguished Name (DN)

Description: LDAP naming context where groups are defined. For example, o=ibm,c=au.

Realm Property: user.dnValid Values: A valid Distinguished Name (DN)

Description: LDAP naming context where users are defined. For example, o=ibm,c=au.

Realm Property: aznapi.conf.fileValid Values: authorization_api_configuration_file_path

Description: The fully qualified path of the Access Manager authorization configuration filePDRealm.conf, that is generated when using svrsslcfg to configure an AccessManager authorization API application.


Table 1. Custom Realm property settings (continued)

Realm Property: wls.admin.user.password.expiryValid Values: number_of_minutes

Description: Specifies when the cached version of the configured_user’s password expires. The valueis specified in minutes. If you do not want the password to expire, either do not set this property, orset it to a value less than 1.

If you change the configured_user password, you will need to restart the server oncethe cached password expires. If you choose to leave the password in the cache without an expirationtime, you can change the configured_user password and continue to use the server withouta restart. Thus you can avoid an interruption of service, and restart the server at a time thatminimizes impact on users.

11. Configure a new Caching Realm:v Name: PD_Caching_Realm

PD_Caching_Realm is the name of the Access Manager Caching Realm thatwill be added to WebLogic Server. This name can be anything you choose.

v Basic Realm: PDRealm

This name should match the name of the PDRealm that you specified in theprevious step.

v Case Sensitive: Nov Use defaults for the caching properties.

The following table explains the cache properties.

Table 2. Caching settings for specifying a new Caching Realm

Credentials Cache

Use the settings in this section to enable the caching of user credentials. The use of a credentials cacheoptimizes performance.

Realm Property: credential.cache.entry.lifetimeValid Values: number_of_minutes

Description: Specifies how long, in minutes, to retain a user credential in the cache. For example,5. If this value is not specified, or has a value of less than 1, credentials caching is disabled.

Realm Property: credential.cache.max.entriesValid Values: integer

Description: Specifies the maximum number of entries in the cache. For example,10000. If this value is not specified, or has a value of less than 1, credentials caching is disabled.


Table 2. Caching settings for specifying a new Caching Realm (continued)

Realm Property: credential.cache.num.bucketsValid Values: integer

Description: Specifies the number of caches (buckets) to have within the cache. For example:20. The use of multiple buckets optimizes the performance of credential lookups in thecache. If this value is not specified, or has a value of less than 1, credentials caching is disabled.

Group Name Mapping Cache

This cache stores the mapping between group Distinguished Names or UUIDs and the Access Managershort names. This mapping is used to compare group information from J2EE deployment descriptorsagainst group information contained in the user registry. Caching of this information optimizesperformance when processing access (authorization) requests based on role memberships.

Realm Property: group.mapping.cache.entry.lifetimeValid Values: number_of_minutes

Description: Specifies the lifetime, in minutes, of each cache entry. For example, 720.

Realm Property: group.mapping.cache.max.entriesValid Values: integer

Description: Specifies the maximum number of entries in the cache. For example: 500. Usethis value to ensure that installations with very large numbers of groups do not exhaust availablesystem memory.

12. Go to Security -> FileRealm and set it to PD_Caching_Realm. Leave all otherfields unchanged.Use the PD_Caching_Realm name that you specified in the previous step.

13. Restart WebLogic Server.Security settings will now take effect.

14. Continue to the next section: “Configuring a WebSEAL junction for theWebLogic Server”.

Configuring a WebSEAL junction for the WebLogic ServerIf you want to use WebSEAL to provide single sign-on services, follow theinstructions in this section, to configure the necessary WebSEAL junction.

Note: If you are not using WebSEAL single sign-on, skip this section.

Complete the following steps on the system that hosts the Access ManagerWebSEAL server:1. Update the following configuration item in the WebSEAL configuration file,

webseald.conf:basicauth-dummy-passwd = configured_user_password

2. Stop and restart WebSEAL, to make the configuration change take effect.


3. Use the pdadmin command to create a WebSEAL junction.

Note: This step can be done on any machine in the Access Manager domain.You do not have to execute it on a WebSEAL system. For example, youcould run it on the Access Manager policy server system.

Be sure to use the -b option to supply the junction target URL. This is requiredfor single sign-on.

For example:pdadmin> server task webseald_server_name create -t tcp-p WebLogic_Server_listen_port -h WebLogic_Server-b supply junction_target

The following table defines the variables in the above pdadmin command:

-- webseald_server_name

Name of the Access Manager WebSEAL server. The name consists of two parts:webseald-WebSEAL_server_instance. Use your system’s hostname forWebSEAL_server_instance.

For example, if the host machine name is cruz, the webseald_server_namewould be:

webseald-cruz

Note: If you have installed multiple instances of WebSEAL on the same server,you need to specify the server instance also. For instructions on creatingjunctions with multiple server instances, see the IBM Tivoli Access ManagerWebSEAL Administration Guide.

-- WebLogic_Server

The hostname of the WebLogic Server

-- WebLogic_Server_listen_port

The port on which the WebLogic Server is listening

-- junction_target

The URL target of the junction

For complete information on creating and using Access Manager WebSEALjunctions, see the IBM Tivoli Access Manager WebSEAL Administration Guide.

Testing the configurationVerify that the Access Manager Custom Realm has been correctly configured bycompleting the following steps:1. Use the WebLogic Server console to create a new test user.2. Execute the following pdadmin command:

pdadmin> user show test_user

v Verify that account-valid is yes.


v Verify that password-valid is yes.

The Access Manager Custom Realm single sign-on solution allows a singleauthentication step through WebSEAL that transparently authenticates the user tothe WebLogic Server. You can confirm that this is configured correctly by runningthe demonstration application. The demonstration application is described in thenext chapter.


Chapter 3. Using IBM Tivoli Access Manager for WebLogicServer

This chapter contains the following information about IBM Tivoli Access Managerfor WebLogic Server (Access Manager for WebLogic):v “Using the demonstration application”v “Creating test users” on page 22v “Usage tips” on page 22v “Troubleshooting tips” on page 23v “Limitations” on page 23

Using the demonstration applicationYou can use the demonstration application to see an example of two types ofauthorization, and to exercise the WebSEAL single sign-on capability.

The two types of authorization are:v Declarative

Uses Deployment Descriptors to grant users and groups specific roles. ThePDDemoApp application does not, by default, grant access to any user.

v ProgrammaticUsing programmatic security, the Enterprise Java Bean ensures that only theowner of each account has the permission to view their own account balance.For example, user Mark cannot view user Luke’s balance.

To run the demonstration application, complete the following steps:1. Copy the demonstration application PDDemoApp.ear into

<BEA_domain_directory>\applications. Note that use of this directory is notrequired. You can place the EAR file into any directory on your file system.

2. Use the WebLogic Server console to install the demonstration application.3. Use the WebLogic Server console to create the following users:

Banker1Banker2Banker3Banker4

4. Use the WebLogic Server console to add a group to the BankMembersRole inthe PDDemoApp. This can be a group that already exists, or you can create a newgroup by using the WebLogic Server console. Alternatively, add the userscreated above to the BankMembersRole.For instructions on using the WebLogic Server console, see the WebLogic Serverdocumentation.

5. If you added a group to the BankMembersRole in the step above, add all of theusers created above (Banker1, Banker2, Banker3, Banker4) to the group. If youadded the users individually into the BankMembersRole, skip this step.

6. To access the demonstration application, access the following URL:http://WebLogic_Server_host:WebLogic_Server_listening_port/pddemo/PDDemo


Authenticate with one of the users defined above.

WebLogic_Server_host is the hostname of the WebLogic Server system.

WebLogic_Server_listening_port is the port on which the WebLogic Server is listening.

7. Verify that only users that have been granted the BankMembersRole can accessthe Servlet.

8. Verify that the authenticated user can view their own balance, but not thebalance of any other user.

To test the WebSEAL Single Sign On, complete the following steps:1. Access the following URL:

https://webseald_server_name/junction_target/pddemo/PDDemo

WebSEAL will prompt you to authenticate.

For an explanation of the variables webseald_server_name and junction_target, see“Configuring a WebSEAL junction for the WebLogic Server” on page 18

Note: Use HTTPS here because the default WebSEAL behavior is to preventBasic or Forms-based authentication over HTTP.

2. Authenticate as one of the users defined above.This process will single sign the user on to the WebLogic Server and the Servletwill be invoked without requiring a second authentication. When accessedthrough WebSEAL, the PDDemo demonstration application will show identicalbehavior to that shown when accessing the WebLogic Server directly.

3. Verify that the authenticated user can view their own balance, but not thebalance of any other user.

Creating test usersFor convenience, if many test users are required, a script named users.sh isprovided. This tool can be used to create and/or delete multiple test users, bycreating appropriate pdadmin scripts:v Run users.sh to generates two text files that pdadmin can use to add and

remove a set of users to or from the user registry.v To use the users.sh script, edit the script and define the variables appropriate

for your environment.Two files are generated: add_users.txt and remove_users.txt. Use these files asinput to pdadmin scripts as follows:pdadmin -a sec_master -p <password> <add_users.txt

pdadmin -a sec_master -p <password> <remove_users.txt

Usage tips1. Observe good security practices when enabling single sign-on for external

users. Ensure that authentication is performed only by the WebSEAL server. Toachieve this, disable access to the WebLogic Server by internal users that do notgo through the WebSEAL server.


2. Access Manager Custom Realm listing should be set to false in productionenvironments. Set this to true only when testing to verify that a realm isoperational.

3. To use the WebLogic Server system and guest users through WebSEAL, youmust to create a dummy guest in Access Manager, and set the real Guest andSystem password to match the configured_user password.Note, however, this means that if you want to allow the guest user to log inwithout going through WebSEAL (such as an access an intranet), you will needto expose the configured_user password.

Troubleshooting tipsWhen a user has authenticated through forms-based login, and attempts to accessa resource for which they do not have permission, the following error messagemay appear:Could not Sign On message from WebSEAL

This can occur because even though the user could actually be authenticated, theydon’t have permission to access the Servlet in the web container.

If this error occurs when using Basic Authentication, the user will be re-promptedfor the authentication details, instead of seeing the page described above. This isdefault WebLogic Server behavior and would be seen if the user accesses the pageeither directly or through WebSEAL.

Limitations1. Access Manager for WebLogic does not support recursive group membership

(groups within groups).2. Centralized control of user access to WebLogic’s J2EE resources is limited to

moving users between groups that have been assigned to roles in applicationdeployment descriptors.

3. Single sign-on to WebLogic Server using forms-based authentication is notsupported.

4. Access Manager for WebLogic does not implement the java.security.ACLinterface. Note that Access Manager ACLs do not correspond to WebLogicServer ACLs.

Chapter 3. Using IBM Tivoli Access Manager for WebLogic Server 23

Chapter 4. Removing IBM Tivoli Access Manager forWebLogic Server

This chapter describes how to unconfigure and remove IBM TIvoli Access Managerfor WebLogic Server (Access Manager for WebLogic).

Complete the instructions in one of the following sections:v “Removing Access Manager for WebLogic on Solaris”v “Removing Access Manager for WebLogic on Windows”v “Removing Access Manager for WebLogic on AIX” on page 26v “Removing Access Manager for WebLogic on HP-UX” on page 26

Removing Access Manager for WebLogic on SolarisUse pkgrm to remove the Access Manager for WebLogic for Solaris files.1. Log in as root.2. Use the WebLogic Server console to unconfigure the PDRealm.3. To remove Access Manager for WebLogic, enter the following command:

# pkgrm PDWLS

A prompt appears asking you to confirm the removal of the selected package.4. Enter the letter y.

A status message lists each file as it is removed. After the postremove script runs, astatus message indicates that the removal of the software package was successful.The pkgrm utility exits.

Removal of the Access Manager for WebLogic package is complete.

If you want to remove the IBM Tivoli Access Manager Base prerequisites (AccessManager Base runtime environment, Access Manager Base Java runtime, and theoptional Access Manager ADK) follow the instructions in the IBM Tivoli AccessManager Base Installation Guide.

Removing Access Manager for WebLogic on WindowsUse the Windows Add/Remove Programs icon interface to remove the AccessManager for WebLogic files. Complete the following instructions:1. Log in as a Windows user with administrator privilege.2. Use the WebLogic Server Console to unconfigure the PDRealm.3. Click the Add/Remove Programs icon.4. Select Access Manager for WebLogic Application Server.5. Click Change/Remove.

The Choose Setup Language dialog box appears.6. Select a language and click OK.7. Select the Remove radio button. Click Next.

The Confirm File Deletion dialog box appears.8. Click OK.


The Access Manager for WebLogic files are removed.The Maintenance Complete dialog box appears.

9. Click Finish.

Removal of Access Manager for WebLogic is complete.

If you want to remove the IBM Tivoli Access Manager Base prerequisites (AccessManager Base runtime environment, Access Manager Base Java runtime, and theoptional Access Manager ADK component) follow the instructions in the IBM TivoliAccess Manager Base Installation Guide.

Removing Access Manager for WebLogic on AIXUse the SMIT utility to remove the Access Manager for WebLogic for AIXpackage. Complete the following steps:1. Log in as root.2. Use the WebLogic Server Console to unconfigure the PDRealm.3. Start SMIT. Select Software Installation and Maintenance.4. Select Software Maintenance and Utilities.5. Select Remove Installed Software.6. Click the List button next to SOFTWARE name.

The Multi-Select List appears. The package name PDWLS is displayed.7. Select the PDWLS package: Access Manager for WebLogic.

The Remove Installed Software dialog box appears.8. Change the value of the PREVIEW only field to no.9. Accept the default value of no for all other fields. Click OK.

10. The Are You Sure message window appears. Click OK.A status message appears indicating that the software is being deinstalled.Another status message lists all packages that were removed.

11. Click Done.The Remove Installed Software dialog box appears.

12. Click Cancel. Click Exit to exit SMIT.

Removal of Access Manager for WebLogic is complete.

If you want to remove the IBM Tivoli Access Manager Base prerequisites (AccessManager Base runtime environment, Access Manager Base Java runtime, and theoptional Access Manager ADK component) follow the instructions in the IBM TivoliAccess Manager Base Installation Guide.

Removing Access Manager for WebLogic on HP-UXUse swremove to remove the Access Manager for WebLogic files. Complete thefollowing instructions:1. Log in as root.2. Use the WebLogic Server Console to unconfigure the PDRealm.3. To remove Access Manager for WebLogic, enter the following command:

# swremove PDWLS


A series of status messages appear. A status message appears indicating thatthe analysis phase has succeeded. The swremove utility removes the AccessManager for WebLogic files from the hard disk.

When the removal is complete, the swremove utility exits.

Removal of Access Manager for WebLogic on HP-UX is now complete.

If you want to remove the IBM Tivoli Access Manager Base prerequisites (AccessManager Base runtime environment, Access Manager Java runtime, and theoptional Access Manager ADK component) follow the instructions in the IBM TivoliAccess Manager Base Installation Guide.

Removing Access Manager for WebLogic on LinuxUse rpm to remove the Access Manager for WebLogic files. Complete the followinginstructions:1. Log in as root.2. Use the WebLogic Server Console to unconfigure the PDRealm.3. To remove Access Manager for WebLogic, enter the following command:

# rpm -e PDWLS-PD-3.9.0-0.i386.rpm

The files are removed. The rpm utility exits.

Removal of Access Manager for WebLogic on Linux is now complete.

If you want to remove the IBM Tivoli Access Manager Base prerequisites (AccessManager Base runtime environment, Access Manager Java runtime, and theoptional Access Manager ADK component) follow the instructions in the IBM TivoliAccess Manager Base Installation Guide.

Chapter 4. Removing IBM Tivoli Access Manager for WebLogic Server 27

Appendix A. svrsslcfg reference

This section contains the following reference page:v “svrsslcfg” on page 30


svrsslcfg

Configure and unconfigure an Authorization API application to communicate withthe Policy Director policy server or authorization server.

Syntaxsvrsslcfg action parameter1 parameter2....

Supported actions and their parameters:

-add_replica-f absolute_pathname_of_configuration_file-h host_name-p port-k rank

-chgcert

-chgport-r port

-chgpwd[-e pwd_life]

-chg_replica-f absolute_pathname_of_configuration_file-h host_name-p port-k rank

-config-f absolute_pathname_of_configuration_file

-d kdb_dir-n server_name-s server_type-r port-P admin_pwd[-S server_password][-A admin_id][-t timeout][-e pwd_life][-C cert_file][-l listening_mode][-a refresh_mode]

-rmv_replica-f absolute_pathname_of_configuration_file-h host_name

-unconfig-f absolute_pathname_of_configuration_file-n server_name-P admin_pwd

[-A admin_id]


Description-add_replica

Use this option when running the application in remote mode. This optioninstructs the application how to contact the Access Manager authorization server.

This option requires two parameters:v -f absolute_pathname_of_configuration_file

v -h host_name

This option takes two optional parameters:v -p port

v -k rank

This option is not used when running the application in local mode. For moreinformation on local mode and remote mode, see the IBM Tivoli Access ManagerBase Administration Guide.

-chgcert

Renew the server certificate. A new public-private key pair and certificate will becreated and stored in the keyring file. Use this command if the original certificatehas been compromised. If the certificate and the password to the keyring databasefile containing that certificate have expired, use svrsslcfg -chgpwd to refresh thepassword first. This is necessary because a valid password is needed to open thekeyring database file to get the certificate.

Ensure that the Access Manager policy server is running before attempting torenew the server certificate. Ensure that the application server (when used with anauthorization API application) is stopped before renewing the certificate.

-chgport

Change the listening port number.

-chgpwd

Change the keyring file password. A new random password will be generated andsaved in the stash file. Only the -e parameter is allowed with this action. Ensurethat the application server (when used with an authorization API application) isstopped before changing the password.

-chgreplica

Change a replica. The replica hostname is used to identify the replica and cannotbe changed by this action. The listening port and preference may be changed.

-config

The svrsslcfg -config action performs the following configuration tasks:v Creates a user with a name by combining the specified server_name with the

local TCP/IP host name.Note that if the server_name supplied with the -n option includes the localTCP/IP host name, then the server_name will equate to the user name. For

Appendix A. svrsslcfg reference 31

example, svrsslcfg will combine a server_name of MyApp with a local host name ofhost1.domain.com to form a user account name of myApp/host1.domain.com.When the server_name is specified as myApp/host1.domain.com, svrsslcfg does notdetermine the TCP/IP host name, but instead uses the supplied string as theuser name.

v Creates an SSL key file for that user. For example, demo_user.key anddemo_user.sth.

v Adds the user to the ivacld-servers group when the server_type is local, or to theremote-acl-users group when the server_type is remote.

Administrators use the -config option to configure an application that has beenwritten with the authorization API. This option enables the application tocommunicate with the either the Access Manager policy server or the AccessManager authorization server. The Access Manager runtime environment must beinstalled before using this utility.

This utility creates an SSL stanza or modifies an existing stanza for the SSL in theconfiguration file. The utility also creates a key database in the specified directory.The database contains an SSL certificate signed by the Access Manager policyserver.

You must provide a unique Access Manager name for the server, the directory inwhich the key ring database files are created, the application authorization type(local or remote) and a TCP port number if the application will listen for databaseupdate notifications (local mode only).

-rmv_replica

Remove a replica. The replica hostname is used to identify the replica to beremoved.

-unconfig

Unconfigure the server. The key ring files will be deleted, and the server removedfrom the user registry and Access Manager database.

The following parameters are required:v -f absolute_pathname_of_configuration_file

v -n server_name

v -P admin_pwd

The following parameter is optional:v -A admin_id

Parameters-a refesh_mode

Sets the certificate and keyring file password auto-refresh enabled flag in theconfiguration file. The value of this parameter must be yes or no. If notspecified, the default is yes.

Optional parameter for -config.

-A admin_idThe Access Manager administrator name. When the user registry type is LDAP,this parameter is ignored, and the value sec_master is used instead.


Optional parameter for -config and -unconfig.

-C cert_fileSpecifies the fully qualified name of the file containing the base-64 encodedSSL certificate used when the server authenticates directly with LDAP. This isoptional.


-d kdb_dirThe directory that is to contain the keyring database files for the server. Thisdirectory must already exist, it will not be created by svrsslcfg.

Required parameter for -config

-e pwd_lifeThe keyring file’s password expiration time in days. This parameter is optional.If not specified during initial configuration, a default of 183 days is used.

Optional parameter for -config and -chgpwd.

-f absolute_pathname_of_configuration_file-fileThe absolute path to the configuration file for the application. Theconfiguration file consists of a series of stanza entries that specify configurationsettings, such as the location of the SSL key file.

Required parameter for -config, -unconfig, --add_replica, -chg_replica,rmv_replica.

-h host_nameThe TCP hostname of the Access Manager authorization server.

Required parameter for -add_replica, -chg_replica, and -rmv_replica.

-k rankReplica order of preference among other replicas. This parameter default to 10when the -add_replica option is used. Rank must be an integer value from 1 to10. The higher the number, the higher the rank. When the application needs torequest an authorization decision from an authorization server, it will send therequest first to the authorization server with the highest rank. If that server isunavailable, the application will send the request to the server with the nexthighest rank. This process continues until an authorization decision has beenobtained, or all configured authorization servers have been accessed.

Optional parameter for -add_replica and -chg_replica.

-l -l listen_modeSets the listening-enabled flag in the configuration file. The value of thisparameter must be yes or no. If not specified, the default is no. When usedwith the -config action, a value of yes requires that the -r parameter must havea non zero value. When used with the -modify action, a value of yes requiresthat the listening port number in the configuration file be non zero.

Optional parameter for -config and -modify.

-n server_nameThe name of the server. The name may be specified as eitherserver_name/hostname or server_name, in which case the local hostname will beappended to form name/hostname. The names ivacld, secmgrd, and ivweb arereserved for Access Manager servers.

Required parameter for -config and -unconfig.

Appendix A. svrsslcfg reference 33

-p portListening port number of the Access Manager authorization server. This is porton which the Access Manager authorization server listens for requests. If notspecified as an option to -add_replica, a default port of 7136 is used.

Optional parameter for -add_replica and -chg_replica.

-P admin_pwdThe Access Manager administrator password. When the user registry type isLDAP, then this must be the security master (sec_master) principal’s password.This is a required parameter. If this parameter is not specified, the passwordwill be read from stdin.

Required parameter for -config and -unconfig.

-r port_numSets the listening port number for the server. This is a required parameter. Avalue of 0 may be specified only if the [aznapi-admin-services] stanza in theconfiguration file is empty.

Required parameter for -config.

-s server_typeThe type of server being configured. The value must be either local or remote.This is a required parameter.

Required parameter for -config.

-S server_pwdThe server’s password. This parameter is required. However, you can requestthat a password be created by the system by specifying a dash (-) for thepassword. If this option is used, the configuration file will not be updated withthe password created by the system. If the user registry type is LDAP and apassword is specified, it is saved in the configuration file. If this parameter isabsent, the server password is read from stdin.


-t ssl_timeoutSpecifies the SSL session timeout in seconds. The value must be in the range1-86400. This parameter is optional. If it is not specified during initialconfiguration, a default value of 7200 is used.


ExamplesFor example, the demonstration authorization program that is distributed with theADK invokes svrsslcfg as follows:svrsslcfg -config -f \/opt/PolicyDirector/example/authzn_demo/local.conf \-d /opt/PolicyDirector/example/authzn_demo \-n authzn_local -S <svr-password> -s local \-P <admin-password> -r 7777

Note that the demonstration program uses a configuration file named local.conf.For more information, see the Readme file that accompanies the demonstrationprogram software.


Appendix B. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM Corporation500 Columbus AvenueThornwood, NY 10594U.S.A

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758USA

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrates programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM’s application programming interfaces.


Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

TrademarksThe following terms are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both:

AIXDB2IBMIBM logoSecureWayTivoliTivoli logo

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States and other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, and service names may be trademarks or service marksof others.

Appendix B. Notices 37

Printed in U.S.A.

GC32-0851-00

IBM Tivoli Access Manager for WebLogic Server: User s...

Documents

Transcript of IBM Tivoli Access Manager for WebLogic Server: User s...