Configuring Tivoli Access Manager for HCL Leap

The following instructions describe how to configure HCL Leap to use a single sign-on with Tivoli® Access Manager .

You must have IBM® Tivoli Access Manager for e-business , version 6.1.1 installed before you can perform this procedure. Ensure that you can access the installed Leap from a web browser. Set the WebSphere® Application Server single sign-on domain to the same value as the Tivoli Access Manager server. To perform the instructions, you must be an administrator.
Note:
  • Leap supports the WebSphere cookie-based Lightweight Third-Party Authentication (LTPA) mechanism as an SSO solution for Tivoli Access Manager .
  • Tivoli Access Manager displays a generic login screen. If the user attempts to access a specific application, the application name is not displayed during login.
  • This configuration document assumes the use of default Leap settings. If you customized Leap, you update the customized settings.
  • For more information about Tivoli Access Manager , see the  Tivoli Access Manager Knowledge Center.

Single sign-on (SSO) enables users to log on to one Leap application, and switch to other applications and resources without authenticating again. There are several ways to configure SSO, and the following procedure describes how to use a WebSphere Application Server LTPA key, and WebSEAL Transparent Junctions. To set up SSO using Tivoli Access Manager , complete the following steps:

  1. To support SSO with the Lightweight Third-Party Authentication (LTPA) key, the same keys and passwords must be shared by Tivoli Access Manager , and WebSphere Application Server . To export the keys from WebSphere Application Server :
    1. Log on to WebSphere Application Server Integrated Solutions Console as an administrator. Go to Security >  Global security. In Authentication mechanisms and expiration, click LTPA.
    2. In Cross-cell single sign-on section, provide values for the following fields:
      • Password – Enter and confirm a secure password. You will require this password later
      • Fully qualified key file name – Specify a valid path and a file name for the file that holds the exported keys. For example C:\WAS_ltpa.keys
    3. Click Export keys.
      Note: If you modified your federated repository properties, such as the realm name, export your LTPA keys again and copy them to the Tivoli Access Manager server. This location must be identical to the location used to create the Tivoli Access Manager junctions. See Step 4 for more details.
  2. Use available authentication data when an unprotected URI is accessed: Go to Global security page > Web and SIP security > General. Click Authenticate only when the URI is protected, and select Use available authentication data when an unprotected URI is accessed, if it is not already selected.
  3. Click Apply, and then OK.
  4. Import your HCL HTTP Server certificate into the Tivoli Access Manager keystore for SSL communicating between HTTP Server and Tivoli Access Manager Server. For more details, see the Tivoli Access Manager Knowledge Center.
  5. Use the exported LTPA key to configure the transparent path junctions in Tivoli Access Manager by:
    1. Copying the LTPA keys exported in Step 1 to the Tivoli Access Manager server, for example: C:\WAS8_ltpa.keys
    2. Opening the pdadmin command-line utility, which is installed as part of the Tivoli Access Manager runtime package.
    3. Configuring one transparent path junction for each context root of Leap. Enter the following command for each junction:
      server task <WebSEAL-instance-name> create -t ssl -h <backend-server-name> -p <backend-server-port> -i -b ignore -A -2 -F <ltpa-token> -Z <ltpa-password> -j -J trailer -k -x <transparent-path-jct>
      The following list describes the parts of the command.
      • <WebSEAL-instance-name> – The name of the WebSEAL server. Use the following syntax: <WebSEAL_instance>webseald-<tam_server>. In this syntax, <WebSEAL_instance> is the name of the WebSEAL server instance which manages Leap. <tam_server> is the host name of the Tivoli Access Manager server. For example: default-webseald-server.name.example.com
      • <backend-server-name> – The domain name of the Leap server for which Tivoli Access Manager is managing authentication.
      • <backend-server-port> – The port used by the backend server
      • <ltpa-token> –  The name of the file that created to store the exported WebSphere Application Server keys.
      • <ltpa-password> – The password that you defined to encrypt the key file
      • <transparent-path-jct> – The transparent path junction for the application. This value must match the URL pattern, and must be created for each URL pattern:
        • /apps
      Note:
      • You can use non-SSL to use -t tcp -p 80 to create the junction, however it is not as secure.
      • The -2 parameter is needed only if you are using LTPA type 2. WebSphere Application Server allows both LTPA 1 and LTPA 2.
      • If an invalid certificate error occurs, import your <backend-server-name> certificate into the WebSEAL certificate store before you create the junctions
      For more information about using the pdadmin command-line utility, see the Tivoli Access Manager Knowledge Center.
  6. Create a default Leap Access Control List (ACL) to override the default WebSEAL ACL by running the following commands:
    • acl create <forms-default-acl>
    • acl modify <forms-default-acl> set user sec_master TcmdbsvaBRlrx
    • acl modify <forms-default-acl> set any-other Tmdrx
    • acl modify <forms-default-acl> set unauthenticated T
    Where <forms-default-acl> is the name of the access control list.
  7. Attach default ACLs to resources that are protected by form-authentication. Attach the default ACL to application root URLs.
    Build the following command: acl attach /WebSEAL/<tam_server> -<WebSEAL_instance>/<app_root> <forms-default-acl>
    The following list describes the parts of the command:
    • <tam_server> – The host name of the Tivoli Access Manager server.
    • <WebSEAL_instance> – The name of the WebSEAL server instance that is configured to manage Leap.
    • <app_root> – The root path to the Leap applications. For example: /apps.
    • <forms-default-acl> – The access control list (ACL) defined in Step 6.
  8. Define the unprotected access control list. Attach unprotected resources, and resources that require basic-authentication to the list using the pdadmin command-line utility.
    Tivoli Access Manager passes HTTP requests for these resources to WebSphere Application Server for authentication. To define the unprotected access control list, enter the following commands:
    • acl create <forms-bypass-acl>
    • acl modify <forms-bypass-acl> set user sec_master TcmdbsvaBRlrx 
    • acl modify <forms-bypass-acl> set any-other Tmdrx 
    • acl modify <forms-bypass-acl> set unauthenticated Tmdrx
    where <forms-bypass-acl> is the name of the unprotected access control list.
  9. Attach the bypass ACL to resources that do not require authentication. Run the following commands:
    Build the following command: acl attach /WebSEAL/<tam_server> -<WebSEAL_instance>/<object-path><forms-bypass-acl>
    The following list describes the parts of the command:
    • <tam_server> – The host name of the Tivoli Access Manager server.
    • <WebSEAL_instance> – The name of the instance of the WebSEAL server configured to manage Leap.
    • <object-path> – The path to the resource on that domain, including:
      • /apps/anon
      • /apps/open
    • <forms-bypass-acl> – The access control list that you defined in Step 8.
    For example, a complete command is: acl attach /WebSEAL/tam.example.com-default/apps/anon example-bypass-acl.
  10. Configure Tivoli Access Manager to use form-authentication over HTTP and HTTPS by updating the webseald-<server-name>.conf file. Add the following line to the [forms] stanza:forms-auth = both
  11. Configure content filtering by adding the following lines to the webseald-<server-name>.conf file: 
    [filter-content-types]
type = text/xml 
type = application/atom+xml 


[script-filtering] 
script-filter = yes 
rewrite-absolute-with-absolute = yes
  12. Configure Tivoli Access Manager as the reverse proxy for Leap. Update the webseald-<server-name>.conf file:
    • Add the following line to [server] stanza: web-host-name = <fully-qualified-host-name>
    • Add the following line to [session] stanza: use-same-session = yes
  13. Stop and restart your WebSEAL instance.
  14. Import users from LDAP
    For example to use pdadmin to import:
    • user import sample_user1 “cn=sample_user1,cn=users,dc=yourcompany,dc=com”
    • user modify sample account-valid yes
  15. Configure the Logout link and serverURI link in the Leap_config.properties file
    Add the following line to allow the user to log out from Tivoli Access Manager when the user logs out of Leap. 
    ibm.nitro.LogoutServlet.postLogoutRedirectURL=http://Webseal_server_host/pkmslogout
ibm.nitro.NitroConfig.serverURI=http://Webseal_server_host/apps
  16. Optional: You can allow other clients who only support basic authentication to access Leap through Tivoli Access Manager . Create a new WebSeal instance, and create a junction for /apps-basic at the new instance. For more information on creating a WebSeal instance, see the Tivoli Access Manager Knowledge Center. To configure a basic junction for Leap:
    1. Configure the SSL as described in Step 4.
    2. Create a transparent path junction as described in Step 5.
      Use the following parameters:
      • <WebSEAL_instance> – the name of the new instance
      • <transparent_path_jct> – set to /apps-basic
    3. Attach a default ACL for the new junction as described in Step 7.
      You will use the existing ACL created in Step 6, however the parameters must be changed to:
      • <WebSEAL_instance> – the name of the new instance
      • <app_root> – set to /apps-basic
    4. Attach a bypass ACL for the new junction as described in Step 9.
      You will use the existing ACL created in Step 8, however the parameters must be changed to:
      • <WebSEAL_instance> – the name of the new instance
      • <object_path> – set to
        • /apps-basic/anon
        • /apps-basic/open
    5. Configure Tivoli Access Manager to use form authentication over HTTP and HTTPS by updating the webseald-<server name>.conf file. Add the following line to the [ba] stanza: ba-auth = both.
    6. Go to the [forms] stanza, and ensure formss-auth is set to none.
    7. Use Step 11 to configure content filtering.
    8. Use Step 12 to configure the session and restart the new WebSeal instance.
Parent topic: Configuring